Shibboleth Developers

[Lukas Haemmerle <>]

On 06.08.10 15:53, Peter Schober wrote:
> * Lukas Haemmerle 
> <>
>  [2010-08-06 15:48]:
>> So, do you think will it be enabled in the default config?
> 
> As Scott mentioned, signing outgoing requests exposes the SP itself to
> trivial DoS attacks because every unauthenticated HTTP request will
> result in a signing operation on the SP (and SPs usually don't have
> HSMs).
> So the safe choice is probably to default both to off (no signing of
> requests on the SP, no skipping of ACS URL checking even for signed
> requests on the IdP).

I agree.

However, according to this reasoning (DOS prevention) the SP's default
configuration then also should have turned off Artifact support because
otherwise it is very easy to make the SP do an attribute query to just
any IdP it has metadata for, thanks to the artifact profile :-)

And unless I oversaw something, Artifact support is enabled in the
default SP configuration.

-- 
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
 http://www.switch.ch