OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response


Title: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response

> Can I assume the authenticated channel prevents interception of
> requests? Authentication doesn't require this. I don't have
> to be Alice
> to intercept a signed message from Alice sent via HTTP, SMTP, etc. and
> save it for next month.

Sure you can intercept and keep the message, but if the channel requires authentication, you can't SEND it unless you can authenticate.

 The issue is whether that buys me anything. In
> S-MIME, maybe it does if Alice was sufficiently vague in her
> message. In
> SAML, it certainly does...I'm Alice for that request. That's
> replay and
> impersonation, not denial of service.

Well the section of the document in question clearly says that denial of service is the threat. If that is wrong, we should fix the document.

In my opinion, this is only a threat when using certain types of SubjectConfirmation. I don't think this is an issue in the context of the SOAP binding, however I have not analized it carefully.

Hal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC