OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (SECURITY-12) PE: Add material onRelayState sanitization


    [ http://tools.oasis-open.org/issues/browse/SECURITY-12?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25914#action_25914 ] 

Scott Cantor commented on SECURITY-12:
--------------------------------------

In writing up the errata, we should credit as follows:

- Alessandro Armando, University of Genova and Fondazione Bruno Kessler
- Roberto Carbone, Fondazione Bruno Kessler
- Luca Compagna, SAP
- Jorge Cuellar, Siemens
- Giancarlo Pellegrino, SAP
- Alessandro Sorniotti, IBM
and the EU Projects AVANTSSAR, SPaCIoS, and SIAM

The reference to the paper is:

A. Armando, R. Carbone, L. Compagna, J. Cuellar, G. Pellegrino, A.
Sorniotti. From Multiple Credentials to Browser-based Single Sign-On:
Are We More Secure? In the Proceedings of the 26th IFIP TC-11
International Information Security Conference (SEC 2010), Luzern,
Switzerland, June 7-9, 2011. http://www.ai-lab.it/armando/pub/sec2011.pdf

> PE: Add material on RelayState sanitization
> -------------------------------------------
>
>                 Key: SECURITY-12
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-12
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Improvement
>          Components: Bindings
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> A recent paper (http://www.ai-lab.it/armando/pub/sec2011.pdf) outlines some threats that in small part involve problems with RelayState handling in implementations. Conversations with the author at the end of last year suggested we add clarifying material if possible to guide implementers to avoid some of the worst problems.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]