[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Interim requirements II!
One more addition, and a question. [R-DoS] Ensure that assertions (and later protocols, bindings) do not unnecessarily offer DoS opportunities & if they have to, then this to be called-out in the specification. Basic thing to be aware of is where a URI is received and de-referenced. Soon as you do that, you might be in trouble. Countermeasures built around de-referencing after peer entity or message authentication (and careful coding:-). The question is do we want: [R-ReAuth] Ability for server to signal that re-authenticaiton is required where you'd normally expect an authorization decision. I didn't phrase that too well, but I guess folks'll recognize the issue. Stephen. Philip Hallam-Baker wrote: > > Try the second: > > This time as an attachment. > > Phill > > Phillip Hallam-Baker > Principal Scientist > VeriSign Inc. > pbaker@verisign.com > 781 245 6996 x227 > > ---------------------------------------------------------------------------------------------------- > Name: s2ml_requirements_analysis.htm > s2ml_requirements_analysis.htm Type: Hypertext Markup Language (text/html) > Encoding: QUOTED-PRINTABLE -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC