mike.wiseman at utoronto.ca
Wed Nov 7 10:39:03 EST 2012
Re: Subject - this *is* about Attribute Query, not Artifact Resolution. I confused those in my first email.
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf
> Of Cantor, Scott
> Sent: November-07-12 10:28 AM
> To: Shib Users
> Subject: Re: SAML2 Artifact Resolution (not Attribute Query)
> I changed the subject so this isn't misinterpreted in the archive.
> On 11/7/12 10:12 AM, "Mike Wiseman" <mike.wiseman at utoronto.ca> wrote:
> >Hmm, ok I will do some testing. But from a survey of the users list
> >(including Ian's response), TLS client authentication (whether on a
> >separate port or on 443 per URL) seems to be embraced even with the
> >implementation problems. I read the OASIS security doc which is not
> >prescriptive on this issue. Any other opinions on whether SAML response
> >and/or assertion message signing for the AttributeQuery profile is
> >sufficient authentication?
> It's probably sufficient, but this is very complex territory to get into.
> Without encryption, and without actual trust in the server cert or transport authn,
> do you have real confidentiality? Not so much. So that adds encryption perhaps, with
> the caveat that XML Encryption is well broken these days.
> And with no MITM protection from TLS, you have to rely on the short life of the
> There are tons of variables here. An SP refusing to do the back channel port may
> well not support ignoring your front-channel cert, so now you have that mess to deal
> with and maintain. And if they do ignore it, then they are accepting the risk of the
> MITM being there, which is bad for them.
> There's a reason we use separate ports, regardless of the other variables.
> Having done so, it makes using TLS authn much simpler to deal with than signing and
> much easier to understand the threat models with.
> -- Scott
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users