RE: [security-services] FW: SAML 2.0 and Man in the Middle attacks

["Scott Cantor" <cantor.2@osu.edu>]

> Can anyone suggest any current work which could be used for this? Is
anyone
> interested in getting involved in this?

What's the specific threat?

Obviously, in the client -> SP direction, they would be objecting to bearer
tokens (which for the record Cardspace also requires for browser use). So
that would require HoK-style approaches, either via browser + TLS, or some
other client.

Or if it's the SP -> client direction (am I sending this assertion to who I
think I am?), that's generally left to TLS and the use of encryption
mediated by the IdP.

I imagine they mean the former?

FWIW, once the issues around Nate's profile are settled, I'm sure we could
add an ECP version pretty easily, either with TLS only, or adding some form
of client signing as an option.

-- Scott