On 3/10/14, 2:36 PM, "Tom Scavo" <
trscavo@gmail.com> wrote:
>
>If you're referring to the SAML spec, it has nothing to say about this
>issue. The companion spec that Peter pointed is one approach but there
>is a small fraction of Federations worldwide (that I know of,
anyway)
>that employ a model based on CA-signed certificates in metadata.
As long as it's exactly one, controlled, CA, that's relatively safe.
Otherwise it's simply asking to get hacked, because without naming
constraints and/or control over the issuance, you have no control over
what's being issued and what the relationship is between a SAML name and a
subject DN. There is nothing in SAML to do this, and there is no standard
way of expressing the right rules in SAML metadata (though there are
non-standard ways).
In short, a good number of SAML systems in the world have literally no
idea what they're doing and are operating unsafely. That is probably
unsurprising since you could s/SAML/anything in that sentence and be
accurate.
-- Scott
---------------------------------------------------------------------
To unsubscribe, e-mail:
saml-dev-unsubscribe@lists.oasis-open.orgFor additional commands, e-mail:
saml-dev-help@lists.oasis-open.org