OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] RE: Réf. : RE: [saml-dev] Question about logout

> 	About this part :
> 	"If the IdP gets a request with some other value
> 	it should treat that as a failure, even if the IdP could *guess*
> which
> 	user they caller is talking about."
> 
> 	Where is this constraint indicated in the spec ?
> 
> Lines 1299-1301 of the Profiles spec. From a security point of view,
> letting someone sit there and guess possible other IDs for the user would
> be a substantial security and/or privacy hole.

Oops, you're right, I forgot the matching language was in there also.
(That's a web profile issue of course, it's not strictly speaking a rule for
all possible uses of logout.)

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]