OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Preliminary text for "Request Denied" errorsub-status code

Add a new second-level status code to the list in:
        The responder is able to process the request but has chosen not to respond.
        May be used when the responder is concerned about the security context of
        the request or the sequence of requests received from a particular client.

After the end of the sentence on line 1279, insert a new paragraph:

Note: The AuthenticationQuery MAY NOT be used as a request for a new authentication using credentials provided in the request. The AuthenticationQuery is a request for statements about authentication acts which have occured in a previous interaction between the indicated principal and the Authentication Authority.

(3) In Security Considerations, add a new sub-section to "SAML Protocol" (Section 3.2)

3.1 Active Attacks using SAML Requests

A variety of attacks are possible using SAML requests. A malicious requester may attempt to obtain a valid SAML assertion by "guessing" a valid <Subject> element. This may be accomplished by repeatedly submitting a AuthenticationQuery or AttributeQuery with contents of the <Subject> element drawn from a dictionary of potential values for <Subject> sub-elements and attributes. A SAML responder should attempt to detect such attacks and return the Requester error code with sub-error code RequestDenied.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC