OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack


Tom Scavo wrote on 2009-04-27:
> "Suppose a SAML issuer wishes to issue a response containing one or
> more holder-of-key assertions. As a prerequisite, the SAML issuer MUST
> possess an X.509 certificate known to be associated with the
> attesting entity."

I would phrase it as "public key" rather than "certificate", but yes.

> Not to mince words but I think this should be "a protocol establishing
> proof of possession of a *known* key".

Agreed, I was imprecise. I was only pushing back on the notion that any
concept such as "officialness" was involved. A Formal PKI is NOT a
requirement to prevent MITM.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]