OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: potential errata in SSO Profile


Lines 602-604 of Profiles describe how bearer assertion replay attacks must be prevented when using the POST binding.  I contend that this is not just a POST binding-specific issue and that assertion replays must be prevented independent of the binding.  For example, it seems feasible to actually replay an assertion when using an artifact binding by simply ensuring that different Response messages are used to carry the same assertion each time… thus different artifacts are used, but the assertion could get replayed since there is no artifact binding-specific requirement to make the check.


This wasn’t an issue in SAML 1.x since artifacts referred to assertions, not protocol messages. Thus the artifact replay check would prevent the assertion replay.


I believe the solution is to move the text of lines 602-604 as is from the POST-specific section ( into the list in the general response processing rules ( I believe this was the intent, was it not?


Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
I-name:  =Rob.Philpott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]