[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Same certificate for https and SAML signing
On 3/10/14, 2:36 PM, "Tom Scavo" <trscavo@gmail.com> wrote: > >If you're referring to the SAML spec, it has nothing to say about this >issue. The companion spec that Peter pointed is one approach but there >is a small fraction of Federations worldwide (that I know of, anyway) >that employ a model based on CA-signed certificates in metadata. As long as it's exactly one, controlled, CA, that's relatively safe. Otherwise it's simply asking to get hacked, because without naming constraints and/or control over the issuance, you have no control over what's being issued and what the relationship is between a SAML name and a subject DN. There is nothing in SAML to do this, and there is no standard way of expressing the right rules in SAML metadata (though there are non-standard ways). In short, a good number of SAML systems in the world have literally no idea what they're doing and are operating unsafely. That is probably unsurprising since you could s/SAML/anything in that sentence and be accurate. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]