[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Resend: draft-sstc-sec-consider-01
> I have a comment on section 5.2.1.4. I'm under the impression that > instead of solving the problem of replay attack in the > non-SSL transport > case, SAML is saying "Well, it's a problem." > The solution is simply to add IssueInstant (perhaps optionally) to > Request (and perhaps Response). This bounds the ID-based > replay cache to > a short period and solves the problem (to the extent that it's > solvable). > Is there a reason for not doing this? This is pretty much the conclusion we came to at the last F2F. I mentioned it during the meeting as a possibility, and this is our example case for why we need to complete the review of sec-cons before freezing the core. C.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC