[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
On Mon, Apr 27, 2009 at 7:34 AM, Scott Cantor <cantor.2@osu.edu> wrote: > > What prevents MitM is the use of a protocol that involves proof of > possession of the key between the client and the IdP, as opposed to > name/password. Proof of possession is necessary but not sufficient to prevent MitM, which is what I understood Marc to say in his original post. We need to make it clear in the HoK Web Browser SSO Profile what is required to prevent MitM. I think the Holder-of-Key Assertion Profile (on which the HoK Web Browser SSO Profile is based) already takes care of this: "Suppose a SAML issuer wishes to issue a response containing one or more holder-of-key assertions. As a prerequisite, the SAML issuer MUST possess an X.509 certificate known to be associated with the attesting entity." This is the "known key" requirement alluded to in Marc's original post. So all we need to do in the HoK Web Browser SSO Profile is clarify what this means in the context of web browser SSO. > I'd just use the standard terminology, "a protocol establishing proof of > possession of the key". Not to mince words but I think this should be "a protocol establishing proof of possession of a *known* key". Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]