Shibboleth Developers

[Lukas Haemmerle <>]

> - Allows signed requests to bypass ACS URL checks.

On first sight, I found this a good idea because right after certificate
issues I would rank ACS URL issues second on the list of most frequent
issues.

However, from the security point of view such a feature (especially if
it was the default setting for IdPv3) is risky because it would make it
a lot easier for an attacker who stole an SP's private key to set up his
own SP and then lure users to this bad SP in order to get user's
identity information.

Nowadays, there is at least the strict ACS URL checking that prevents
this scenario (unless the attacker can make direct attribute queries to
an IdP using some persistent identifier that he somehow got his hands on).

Thus, I suspect impersonating an SP with a compromised SP key would
become much easier with this feature and I'm not sure if this weighs up
the benefits from less ACS URL issues :-)

Lukas

-- 
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
 http://www.switch.ch