[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response
I don't see how "seeing" or "stealing" the request for an attribute request can effectively cause a comprimise. I would hope that that only certain parties are allowed to use the attribute response in an effective manner, no matter who asked for it, or who delivered it. I don't see why I, not being Alice, can't ask for Alice's attributes as much as I want. If I'm not allowed to do anything with them, what would it matter if I steal the request, and ask for them again? Does the attribute request have something stupid in it, like a username/password, or a replayable signature/ticket? Cheers, -Polar On Wed, 16 Jan 2002, Scott Cantor wrote: > >I don't understand this. You were able to capture the orignal request, > but > >you could not see the response? > > Not likely in the case of HTTP, but I suppose its more possible with > something like SMTP where there's a time delay. > > More likely you can capture the original response too, but now you have > a lifetime pass (modulo the signing certificate expiring) to get the > latest attributes (as Alice) any time you want them. > > It's becoming apparent to me that this case is of sufficiently limited > scope for the current SAML exchanges that nobody is going to worry much > about it, and I can live with that. I still don't see much of a cost > here, but I understand now why it's not in there. > > -- Scott > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC