[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] FW: SAML 2.0 and Man in the Middle attacks
> Can anyone suggest any current work which could be used for this? Is anyone > interested in getting involved in this? What's the specific threat? Obviously, in the client -> SP direction, they would be objecting to bearer tokens (which for the record Cardspace also requires for browser use). So that would require HoK-style approaches, either via browser + TLS, or some other client. Or if it's the SP -> client direction (am I sending this assertion to who I think I am?), that's generally left to TLS and the use of encryption mediated by the IdP. I imagine they mean the former? FWIW, once the issues around Nate's profile are settled, I'm sure we could add an ECP version pretty easily, either with TLS only, or adding some form of client signing as an option. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]