OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack

[cc'ing the SAML Public Comment list since the Holder-of-Key Web
Browser SSO Profile is under Public Review at this time]

Hi Marc,

Thanks for the note, and sorry for not replying sooner.  Yes, you
bring up a good point.  Either the statements involving the
"man-in-the-middle" need to be removed or additional requirements need
to be added that make the statements true.  I've been discussing this
with the spec's primary author, Nate Klingenstein, offline (as you
know).  Your suggestion to use a known key seems reasonable.

Again, thanks for the feedback.

Tom

On Thu, Apr 16, 2009 at 8:52 AM, Marc Stern <marc.stern@approach.be> wrote:
> Hello,
>
> I'd like to point out that man-in-the-middle attack is still possible with
> this profile (I suppose some are aware about this, as it is stated in the
> document "virtually eliminates man-in-the-middle attacks"). If an attacker
> can sit in the middle of both connections (to IdP & SP), it could act as a
> proxy, and use its own key in both cases, which will be consistent with the
> SAML request.
> The only solution is to use a known key to connect to the IdP (with an
> official certificate), which poses a privacy problem, as you will be obliged
> to connect to the SP with your "official" credentials.
>
> Any envisioned work on this (double key authentication or equivalent)?
>
> Thanks,
>
> Marc Stern
> Senior Consultant - Security Group Head
> Approach Belgium - http://www.approach.be
> Avenue Einstein, 2A   -    B-1348 Louvain-la-Neuve   -     Belgium
> LinkedIn
>
> Disclaimer_____________________________________________________________________________
> 1. This message is intended for the use of the addressee only and may
> contain information that is privileged and confidential.
> 2. If you are not the intended recipient, you are notified that any
> dissemination of this Communication is strictly prohibited.
> 3. If you have received this communication in error, please notify us
> immediately by return of this e-mail.
> 4. E-mail quotations and proposals are for information only, and are subject
> to confirmation by the Signature of the appropriate contractual
> documentation by the authorized persons or both
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org For
> additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]