OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Resend: draft-sstc-sec-consider-01

> I have a comment on section 5.2.1.4. I'm under the impression that 
> instead of solving the problem of replay attack in the 
> non-SSL transport 
> case, SAML is saying "Well, it's a problem." 
> The solution is simply to add IssueInstant (perhaps optionally) to 
> Request (and perhaps Response). This bounds the ID-based 
> replay cache to 
> a short period and solves the problem (to the extent that it's 
> solvable). 
> Is there a reason for not doing this? 

This is pretty much the conclusion we came to at the last F2F. I
mentioned it during the meeting as a possibility, and this is our
example case for why we need to complete the review of sec-cons before
freezing the core.

C.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC