OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response

I don't see how "seeing" or "stealing" the request for an attribute
request can effectively cause a comprimise.

I would hope that  that only certain parties are allowed
to use the attribute response in an effective manner, no matter who asked
for it, or who delivered it.

I don't see why I, not being Alice, can't ask for Alice's attributes as
much as I want. If I'm not allowed to do anything with them, what would it
matter if I steal the request, and ask for them again?

Does the attribute request have something stupid in it, like a
username/password, or a replayable signature/ticket?


On Wed, 16 Jan 2002, Scott Cantor wrote:

> >I don't understand this. You were able to capture the orignal request,
> but
> >you could not see the response?
> Not likely in the case of HTTP, but I suppose its more possible with
> something like SMTP where there's a time delay.
> More likely you can capture the original response too, but now you have
> a lifetime pass (modulo the signing certificate expiring) to get the
> latest attributes (as Alice) any time you want them.
> It's becoming apparent to me that this case is of sufficiently limited
> scope for the current SAML exchanges that nobody is going to worry much
> about it, and I can live with that. I still don't see much of a cost
> here, but I understand now why it's not in there.
> -- Scott
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC