[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] destination-side enforcement of one-time artifact use
> I believe this text is currently absent from Section 4 (SSO Profiles of > SAML) of profiles-cd-01a. I propose the inclusion of the following text in > Section 4.1.4.4): There is similar text in the binding definition. I didn't write it as a MUST because there was resistance at the F2F in doing that. I made it a SHOULD instead: Quoting from Security Considerations (3.6.5.2): In general, this binding relies on the artifact as a hard-to-forge short-term reference and applies other security measures to the callback request/response that returns the actual message. All artifacts MUST have a single-use semantic enforced by the artifact issuer. Furthermore, it is RECOMMENDED that artifact receivers also enforce a single-use semantic on the artifact values they receive, to prevent an attacker from interfering with the resolution of an artifact by a user agent and then resubmitting it to the artifact receiver. Are you proposing additional text, or maybe strengthening the SHOULD in the specific case of that profile? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]