OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] phishing the DS protocol


> The Identity Provider Discovery Service Protocol and Profile talks
> about the dangers of phishing attacks and how metadata can mitigate
> this threat. However, it stops short of specifying that the DS MUST
> ensure by some means (metadata or otherwise) that the location
> specified in the return parameter is in fact associated with the
> requester given by the entityID parameter. Am I missing something?

Not that I can see. Making it a MUST doesn't give anybody involved any
guarantee that it's being prevented, so it's not a MUST, just up to the
implementer/deployer.

Could have been a "MUST implement", didn't really think about it.
 
-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]