mace-opensaml-users - RE: [OpenSAML] protocol weakness?
Subject: OpenSAML user discussion
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [OpenSAML] protocol weakness?
- Date: Wed, 16 Apr 2008 13:03:47 -0400
- Organization: The Ohio State University
> as I'm currently fabricating a study on protocol fuzzing, I'm
> interested if there are any attack vectors known for SAML (any
> version) in general or for the OpenSAML (any version) project.
OpenSAML is a toolkit, it doesn't implement behavior that would have attack
vectors other than security issues any code faces, plus XML-specific issues
like entity expansion, plus signature processing issues and that's a function
of understanding XML Signature and how it's used.
For SAML, only profiles are complete enough to analyze. You can look at the
spec for that, along with the Security Considerations document in it. And at
the end of the day, it's deployment that really matters. Consider those who
refuse to use SSL.
-- Scott
- protocol weakness?, Daniel Germanus, 04/16/2008
- RE: [OpenSAML] protocol weakness?, Scott Cantor, 04/16/2008
Archive powered by MHonArc 2.6.16.