[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
On Mon, Apr 27, 2009 at 9:45 AM, Scott Cantor <cantor.2@osu.edu> wrote: > Tom Scavo wrote on 2009-04-27: >> "Suppose a SAML issuer wishes to issue a response containing one or >> more holder-of-key assertions. As a prerequisite, the SAML issuer MUST >> possess an X.509 certificate known to be associated with the >> attesting entity." > > I would phrase it as "public key" rather than "certificate", but yes. Well, the HoK Assertion Profile is in Public Review as well, so we can certainly change the wording if we think that's best, but I wonder if we shouldn't leave it as it is? I took the above quote out of context (obviously) but if you go back, read the spec, and refresh your memory, I think you'll find that a certificate is in fact what's required throughout, at least given how the spec is written now. >> Not to mince words but I think this should be "a protocol establishing >> proof of possession of a *known* key". > > Agreed, I was imprecise. I was only pushing back on the notion that any > concept such as "officialness" was involved. A Formal PKI is NOT a > requirement to prevent MITM. Agreed. Thanks, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]