Shibboleth Developers

["Scott Cantor" <>]

> However, according to this reasoning (DOS prevention) the SP's default
> configuration then also should have turned off Artifact support because
> otherwise it is very easy to make the SP do an attribute query to just
> any IdP it has metadata for, thanks to the artifact profile :-)

I don't think it's quite as bad. Assuming SSL handshakes are as bad, which
I'm not sure about (and if they were, couldn't you just DOS the site by
slamming it with SSL requests?), the SP caches and reuses HTTP and SSL
sessions with IdPs.

Honestly, the DOS thing is probably a bit overstated. I suspect that's so
trivial with any web site that adding another vector to use isn't much
worse.

-- Scott