[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Smart Browser
> The browser protocols that we have are the "one-time" > artifact and possibly Shibboleth. Shibboleth will be using the POST profile, which is part of SAML, so I wouldn't say we're adding anything to this issue. > I don't believe that a > thorough cryptanalysis has been performed on the "one-time" > artifact and thus I don't feel comfortable with proposing it > as a security profile for SAML. I'm not sure anything formal exists, but the vulnerabilities of browser-transported credentials are pretty well-known at this point, I think. In general, you limit the window, target the credential, and make it hard to forge; that's the best you can do. > I think that Shibboleth is > an excellent approach but it doesn't seem to cover the > general browser case that SAML is trying to address, i.e. its scope > is narrower than SAML's in some respects. It is narrower in some senses, but not in this one. It needs the same features SAML's web browser profile needs, so we adopted it in the interest of compatibility. We're not planning on using the artifact, but the exposures are pretty much the same with POST. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC