OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] FW: SAML 2.0 and Man in the Middle attacks

> Can anyone suggest any current work which could be used for this? Is
> interested in getting involved in this?

What's the specific threat?

Obviously, in the client -> SP direction, they would be objecting to bearer
tokens (which for the record Cardspace also requires for browser use). So
that would require HoK-style approaches, either via browser + TLS, or some
other client.

Or if it's the SP -> client direction (am I sending this assertion to who I
think I am?), that's generally left to TLS and the use of encryption
mediated by the IdP.

I imagine they mean the former?

FWIW, once the issues around Nate's profile are settled, I'm sure we could
add an ECP version pretty easily, either with TLS only, or adding some form
of client signing as an option.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]