[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack
> I totally agree with the "known key" approach. > My digression about certificates was just illustrative about the most usual > situation. Ok, that's fine. It's just me being overly sensitive to PKI implications. > Maybe I misunderstood the spec; I understood that, to be compatible with the > profile, I have to use the same key for both TLS sessions (IdP & SP). If > that's not the case, then I'm happy ;-) Otherwise, we may have to generalise > the profile. I'd have to read it or ask Nate, who is at the same conference with me, but IIRC that isn't actually required. What is required is for the certificate placed into the assertion to match the one the client presents to the SP. What happens between the client and the IdP is separate, other than the clarification you raised that MITM threats are mitigated only in the right cases. > Obviously, to support such a profile, we would need some client or plug-in, > but that's the purpose of initiatives like CardSpace & Higgins, so why not > ... Yes, exactly. In fact, one of my biggest complaints about Infocard is the choice not to support proof-key-based tokens for browser scenarios. A completely wasted opportunity. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]