shibboleth-dev - Re: [Shib-Dev] Return of the Java SP... again
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To:
- Subject: Re: [Shib-Dev] Return of the Java SP... again
- Date: Thu, 26 Aug 2010 16:47:34 +0100
- Domainkey-signature: a=rsa-sha1; c=nofws; d=iay.org.uk; h=subject :mime-version:content-type:from:in-reply-to:date:message-id :references:to; q=dns; s=iay.org.uk; b=CZb5v33wGBEyiiiGLwkgThm3y z+Y3Oa0t6YSwRuAA6B4Eix4OGtEfZI6Idh/mOAWaJTlm2vLxinB437Y8HWp7Do0a pZCRyKnSmsaUlXD/Wifp+JEniCe5dxSZNBpZJeTdaojirHS1czW4HM/NMo+30M88 v+j7or31ro9ppik3/0=
On 26 Aug 2010, at 06:10, Nate Klingenstein wrote:
> Jim,
>
> They're encrypted for both legs of the transaction, but because there is no
> encryption of the response or assertion themselves, the attributes pass
> through the browser and the client in cleartext. Some have concerns about
> malware, privacy on shared computers, or the sharing of attributes that
> were not meant to be revealed to the principal. I find such concerns
> understandable, myself.
These are one group of relevant concerns, certainly. I think the one that
concerns me most these days, though, is the observation that in this case
security moves away from being established by specific security software like
Shibboleth mediated by trusted metadata, and instead becomes dependent on the
browser's implementation of TLS and PKIX. In particular, you move away from
only delivering attribute values through a SAML transaction in which the SP's
credential has to match trusted metadata over to a situation where any of the
*browser's* trust roots can be targeted. And that's before you take into
account unpatched browser bugs and attackers just relying on the user to
click "it's fine, continue" to security warnings.
Even without an assumption that the user's browser can be compromised,
therefore, attributes passed through the front channel using point-to-point
encryption are *not* as secure as attributes passed across the back channel.
Obviously in SAML 2, you can and should use end-to-end encryption to secure
the front channel.
-- Ian
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: [Shib-Dev] Return of the Java SP... again, (continued)
- Re: [Shib-Dev] Return of the Java SP... again, Alistair Young, 08/29/2010
- Re: [Shib-Dev] Return of the Java SP... again, Chad La Joie, 08/29/2010
- RE: [Shib-Dev] Return of the Java SP... again, Scott Cantor, 08/29/2010
- Re: [Shib-Dev] Return of the Java SP... again, Chad La Joie, 08/25/2010
- RE: [Shib-Dev] Return of the Java SP... again, Scott Cantor, 08/25/2010
- Re: [Shib-Dev] Return of the Java SP... again, Chad La Joie, 08/25/2010
- Re: [Shib-Dev] Return of the Java SP... again, Jim Fox, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Nate Klingenstein, 08/26/2010
- [Shib-Dev] Possible to provide shib-common/opensaml snapshots as well?, Halm Reusser, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Ian Young, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Nate Klingenstein, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Jim Fox, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Ian Young, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Chad La Joie, 08/26/2010
- Re: [Shib-Dev] Return of the Java SP... again, Chad La Joie, 08/25/2010
- Re: [Shib-Dev] Return of the Java SP... again, Paul Hethmon, 08/25/2010
- Re: [Shib-Dev] Return of the Java SP... again, Peter Schober, 08/25/2010
- RE: [Shib-Dev] Return of the Java SP... again, Scott Cantor, 08/25/2010
- RE: [Shib-Dev] Return of the Java SP... again, Scott Cantor, 08/25/2010
Archive powered by MHonArc 2.6.16.