[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services-comment] Re: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
Tom Scavo wrote on 2009-04-27: > Well, the HoK Assertion Profile is in Public Review as well, so we can > certainly change the wording if we think that's best, but I wonder if > we shouldn't leave it as it is? I took the above quote out of context > (obviously) but if you go back, read the spec, and refresh your > memory, I think you'll find that a certificate is in fact what's > required throughout, at least given how the spec is written now. I can take a look, but the specific issue I was referring to was what the IdP had to have, not what might end up in the assertion. I don't think it's necessary for the IdP to physically possess a certificate for a user, because the certificate can be provided via TLS at runtime. If it possesses the public key, and the client proves it has that key, then you can stick the certificate into the assertion (in accordance with your profile) and you still have protection against the MITM issue (subject to issues like key revocation and such of course). Does the combination of the two drafts prohibit this? As I understood it, your profile specifically required the use of X509Certificate and binary cert matching on the relying party side, but I didn't think it crossed into limiting what the IdP had access to ahead of time. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]