[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 109: Potential attack when using RST parameters from a targetsite - WS-SecurityPolicy part
From: Jan Alexander PLEASE
DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS
ASSIGNED A NUMBER. The
issues coordinators will notify the list when that has occurred. Protocol:
ws-securitypolicy Artifact: spec Type: design Title:
Potential
attack when using RST parameters from a target site - WS-SecurityPolicy part Description: The
RequestSecurityTokenTemplate parameter of the IssuedToken assertion is critical
to allow generalized token issuance policy, but allows possible RST parameter
attacks because the requestor's parameters cannot be separated from those
specified for the target site. See the description of the attack in the related
WS-Trust issue description. Related
issues: The
same issue, WS-Trust part Proposed
Resolution: Change
the description of RequestSecurityTokenTemplate element on lines 910 - 914 to
say that the contents is inserted into the wst:SecondaryParameters element of
the RST instead of being placed directly as children of the
wst:RequestSecurityToken element. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]