[security-services] Preliminary text for "Request Denied" errorsub-statu

security-services message

Subject: [security-services] Preliminary text for "Request Denied" errorsub-status code

From: "Mishra, Prateek" <pmishra@netegrity.com>

To: "'Philpott, Robert'" <rphilpott@rsasecurity.com>,"'security-services@lists.oasis-open.org'"<security-services@lists.oasis-open.org>,"McLaren, Christopher" <cmclaren@netegrity.com>

Date: Wed, 27 Mar 2002 12:22:33 -0500

(1)
Add a new second-level status code to the list in:

RequestDenied

        The responder is able to process the request but has chosen not to respond.
        May be used when the responder is concerned about the security context of
        the request or the sequence of requests received from a particular client.

(2)

After the end of the sentence on line 1279, insert a new paragraph:

Note: The AuthenticationQuery MAY NOT be used as a request for a new authentication using credentials provided in the request. The AuthenticationQuery is a request for statements about authentication acts which have occured in a previous interaction between the indicated principal and the Authentication Authority.

(3) In Security Considerations, add a new sub-section to "SAML Protocol" (Section 3.2)

3.1 Active Attacks using SAML Requests

A variety of attacks are possible using SAML requests. A malicious requester may attempt to obtain a valid SAML assertion by "guessing" a valid <Subject> element. This may be accomplished by repeatedly submitting a AuthenticationQuery or AttributeQuery with contents of the <Subject> element drawn from a dictionary of potential values for <Subject> sub-elements and attributes. A SAML responder should attempt to detect such attacks and return the Requester error code with sub-error code RequestDenied.