[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
> If we do not have any official (registered) certificate, MitM will always be > possible, as no session can ever be secured. That's not true, even if there was such a thing as an "official" certificate, which there isn't. What prevents MitM is the use of a protocol that involves proof of possession of the key between the client and the IdP, as opposed to name/password. Who signed a certificate (if anybody) is completely irrelevant. Issues of anonymity are likewise orthogonal, other than to allow that with a browser today, you're probably stuck using a single certificate (which could be self-signed and contain an opaque DN) with both the IdP and SP. The lack of privacy comes from the inability to easily use a different certificate across sessions with the SP, so correlation becomes possible. This compromises anonymity, but doesn't necessarily reveal your identity. > Proposition: instead of stating that the key/certificate bind in the > assertion and used with the SP must come from the TLS authentication to the > IdP, why not extending this to "a key/certificate sent to the IdP in a > secure way"? I'd just use the standard terminology, "a protocol establishing proof of possession of the key". -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]