OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Same certificate for https and SAML signing

On 3/10/14, 2:36 PM, "Tom Scavo" <trscavo@gmail.com> wrote:
>If you're referring to the SAML spec, it has nothing to say about this
>issue. The companion spec that Peter pointed is one approach but there
>is a small fraction of Federations worldwide (that I know of, anyway)
>that employ a model based on CA-signed certificates in metadata.

As long as it's exactly one, controlled, CA, that's relatively safe.
Otherwise it's simply asking to get hacked, because without naming
constraints and/or control over the issuance, you have no control over
what's being issued and what the relationship is between a SAML name and a
subject DN. There is nothing in SAML to do this, and there is no standard
way of expressing the right rules in SAML metadata (though there are
non-standard ways).

In short, a good number of SAML systems in the world have literally no
idea what they're doing and are operating unsafely. That is probably
unsurprising since you could s/SAML/anything in that sentence and be

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]