[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
Tom Scavo wrote on 2009-04-27: > "Suppose a SAML issuer wishes to issue a response containing one or > more holder-of-key assertions. As a prerequisite, the SAML issuer MUST > possess an X.509 certificate known to be associated with the > attesting entity." I would phrase it as "public key" rather than "certificate", but yes. > Not to mince words but I think this should be "a protocol establishing > proof of possession of a *known* key". Agreed, I was imprecise. I was only pushing back on the notion that any concept such as "officialness" was involved. A Formal PKI is NOT a requirement to prevent MITM. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]