OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response

> I would hope that  that only certain parties are allowed
> to use the attribute response in an effective manner, no 
> matter who asked for it, or who delivered it.

In a non-SSL case, in other words, it would still have to be encrypted.

> Does the attribute request have something stupid in it, like 
> a username/password, or a replayable signature/ticket?

No, my rapidly weakening point was that it is itself a replayable ticket
if the signature in it is the means of authenticating the request. But
if I can steal it to do anything useful, then encryption must not be
happening, and that's not realistic.

I can see that there's just nothing vulnerable to impersonation in SAML
1.0 that would be implemented with integrity on the request without
encryption being needed on the response. Forgive me if it took a few
blows to the head.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC