OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: FW: SAML 2.0 and Man in the Middle attacks


1st of 2 messages from Approach Belgium.

 

Hal

 


From: marc.stern@approach.be [mailto:marc.stern@approach.be]
Sent: Tuesday, September 02, 2008 10:40 AM
To: hal.lockhart@oracle.com; bcampbell@pingidentity.com; paulmadsen@ntt-at.com; robert.philpott@rsa.com; eve.maler@sun.com; jamie.clark@oasis-open.org
Subject: SAML 2.0 and Man in the Middle attacks

 

Hello,

I am currently leading the technical part of a big European project (http://www.eid-stork.eu/) targeting federated identity between EU countries.

We are obviously looking at SAML, but we have a major concern, as it is not immune at all against MITM attacks.
Several countries are in favor of developing an alternative protocol (like TLS-Federation - ), but I would like to check with you if this problem was ever tackled.

Did you provide any work on this ?
Could this be solved by any way ?
How does it integrate with CardSpace ? Could such a combination solve the problem ?

Thank you

--
 
Marc Stern
Senior Consultant - Security Group Head
Approach Belgium - http://www.approach.be
Avenue Einstein, 2A   -    B-1348 Louvain-la-Neuve   -     Belgium
Tel: +32 10 83 21 36   -    GSM: +32 475 68 29 10    -   Fax: +32 10 83 22 55   - LinkedIn

Disclaimer_____________________________________________________________________________
1. This message is intended for the use of the addressee only and may contain information that is privileged and confidential.
2. If you are not the intended recipient, you are notified that any dissemination of this Communication is strictly prohibited.
3. If you have received this communication in error, please notify us immediately by return of this e-mail.
4. E-mail quotations and proposals are for information only, and are subject to confirmation by the Signature of the appropriate contractual documentation by the authorized persons or both



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]