OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Draft-sstc-sec-consider-03.doc


>The attack described in section 3.4 of the document you reference is
>based on two assumptions

>1) The client does not verify certificate chains all the way to a
>trusted CA (in the example attack the malicious party presents a
>self-signed bogus certificate)

The "client" is unfortunately a *human*  that just gets a hint that something
is not correct but he/she may click "Continue" to ignore.  And maybe even select to
trust the next time.  This is the problem with ad-hoc PKI as Dug correctly points
out.  This is also probably the weakest spot in SAML, assuming that servers
are not too easy to hack into.

>2) The server does not require a verified client certificate.

This is by far the most likely use-case for SAML SSO-scenarious as far
as I know, assuming the server is the target server in SSO.

Personal opinion: Client-certs in inter-organization activities like extranet
authentication will due to SAML et. al. never be of any significance!


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC