[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (SECURITY-28) No mention of freshness or replay detection in SAML protocols or profiles
Scott Cantor created SECURITY-28:
------------------------------------
Summary: No mention of freshness or replay detection in SAML protocols or profiles
Key: SECURITY-28
URL: https://issues.oasis-open.org/browse/SECURITY-28
Project: OASIS Security Services (SAML) TC
Issue Type: Bug
Components: Bindings, Core, Profiles
Affects Versions: SAML 2.0 + Approved Errata 05
Reporter: Scott Cantor
Assignee: Scott Cantor
The Security Considerations document provides some minimal discussion of risks that are mitigated through freshness checks or replay checks, but the actual spec set says nothing about the use of the IssueInstant or ID attributes at the protocol layer.
Discussion of bearer assertion or artifact replay checking exists, but nothing at the protocol layer.
This is a significant omission depending on specific use cases, such as the use of signed messages in place of mutual TLS in the SOAP binding, or with the use of signed AuthnRequests or LogoutRequests in various profiles.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]