[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
Nate Klingenstein wrote on 2009-04-27: > My first instinct is that it was intended to simplify the user experience > given the restrictions of browsers, and because there's already a successful > challenge/response guaranteed. But as pointed out earlier by Georgia Tech, > the browser experience is already not great. I'm certainly amenable to > removing this requirement if we can come up with clean replacement text. I think it’s a deployment issue as to whether a particular browser limitation should be factored into the setup, I think. I'm sure in the majority of such cases people will do the simple thing, but I don't think the profile needs to dictate it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]