Re: [saml-dev] phishing the DS protocol

[Tom Scavo <trscavo@gmail.com>]

On Mon, Oct 18, 2010 at 11:06 AM, Scott Cantor <cantor.2@osu.edu> wrote:
>> The Identity Provider Discovery Service Protocol and Profile talks
>> about the dangers of phishing attacks and how metadata can mitigate
>> this threat. However, it stops short of specifying that the DS MUST
>> ensure by some means (metadata or otherwise) that the location
>> specified in the return parameter is in fact associated with the
>> requester given by the entityID parameter. Am I missing something?
>
> Not that I can see. Making it a MUST doesn't give anybody involved any
> guarantee that it's being prevented, so it's not a MUST, just up to the
> implementer/deployer.

Hmm, well that is not the response I was expecting :-) so let me try
again. If you deployed an instance of the DS, and you found that it
did not check the above, would you be concerned enough to do anything
about it?

> Could have been a "MUST implement", didn't really think about it.

I'm not sure why you're making this distinction. SAML Core is pretty
clear about the consumer service URL, for instance. Why is this any
different?

Thanks for the clarification,

Tom