[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue: Potential attack when using RST parameters from a target site - WS-SecurityPolicy part
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON
THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has
occurred. Protocol: ws-securitypolicy Artifact: spec Type: design Title: Potential
attack when using RST parameters from a target site - WS-SecurityPolicy part Description: The RequestSecurityTokenTemplate parameter of the
IssuedToken assertion is critical to allow generalized token issuance policy,
but allows possible RST parameter attacks because the requestor's parameters
cannot be separated from those specified for the target site. See the
description of the attack in the related WS-Trust issue description. Related issues: The same issue, WS-Trust part Proposed Resolution: Change the description of RequestSecurityTokenTemplate
element on lines 910 - 914 to say that the contents is inserted into the
wst:SecondaryParameters element of the RST instead of being placed directly as
children of the wst:RequestSecurityToken element. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]