[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response
> I would hope that that only certain parties are allowed > to use the attribute response in an effective manner, no > matter who asked for it, or who delivered it. In a non-SSL case, in other words, it would still have to be encrypted. > Does the attribute request have something stupid in it, like > a username/password, or a replayable signature/ticket? No, my rapidly weakening point was that it is itself a replayable ticket if the signature in it is the means of authenticating the request. But if I can steal it to do anything useful, then encryption must not be happening, and that's not realistic. I can see that there's just nothing vulnerable to impersonation in SAML 1.0 that would be implemented with integrity on the request without encryption being needed on the response. Forgive me if it took a few blows to the head. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC