shibboleth-dev - Re: [Shib-Dev] [IdPv3] Security Config and Options
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] [IdPv3] Security Config and Options
- Date: Fri, 06 Aug 2010 09:08:37 -0400
- Organization: Itumi, LLC
I think it's pretty unlikely that if the SP's private key is compromised that other bad things haven't happened as well, things the ACS check would in no way help with. But either way, it'll just be an option that can be turned on or off.
On 8/6/10 9:04 AM, Lukas Haemmerle wrote:
- Allows signed requests to bypass ACS URL checks.
On first sight, I found this a good idea because right after certificate
issues I would rank ACS URL issues second on the list of most frequent
issues.
However, from the security point of view such a feature (especially if
it was the default setting for IdPv3) is risky because it would make it
a lot easier for an attacker who stole an SP's private key to set up his
own SP and then lure users to this bad SP in order to get user's
identity information.
Nowadays, there is at least the strict ACS URL checking that prevents
this scenario (unless the attacker can make direct attribute queries to
an IdP using some persistent identifier that he somehow got his hands on).
Thus, I suspect impersonating an SP with a compromised SP key would
become much easier with this feature and I'm not sure if this weighs up
the benefits from less ACS URL issues :-)
Lukas
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Peter Schober, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- RE: [Shib-Dev] [IdPv3] Security Config and Options, Scott Cantor, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Etienne Dysli, 08/19/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Chad La Joie, 08/19/2010
- Re: [Shib-Dev] [IdPv3] Security Config and Options, Lukas Haemmerle, 08/06/2010
Archive powered by MHonArc 2.6.16.