[SECURITY-28] No mention of freshness or replay detection in SAML protocols or profiles - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: New
Priority: Major
Resolution: Unresolved
Affects Version/s: SAML 2.0 + Approved Errata 05
Fix Version/s: None
Component/s: Bindings, Core, Profiles
Labels:
None

Proposal:

Hide

Tentative, but I suggest we consider adding language to Core and Bindings that makes freshness checking and replay detection a recommended practice. If we can't make specific use cases a MUST, we should avoid the confusion and complexity of trying to limit the guidance to only certain scenarios and just make it a general recommendation as a SHOULD.

Show
Tentative, but I suggest we consider adding language to Core and Bindings that makes freshness checking and replay detection a recommended practice. If we can't make specific use cases a MUST, we should avoid the confusion and complexity of trying to limit the guidance to only certain scenarios and just make it a general recommendation as a SHOULD.

Description

The Security Considerations document provides some minimal discussion of risks that are mitigated through freshness checks or replay checks, but the actual spec set says nothing about the use of the IssueInstant or ID attributes at the protocol layer.

Discussion of bearer assertion or artifact replay checking exists, but nothing at the protocol layer.

This is a significant omission depending on specific use cases, such as the use of signed messages in place of mutual TLS in the SOAP binding, or with the use of signed AuthnRequests or LogoutRequests in various profiles.

Attachments

Activity

People

Assignee:

Scott Cantor (Inactive)

Reporter:

Scott Cantor (Inactive)

Watchers:

1 Start watching this issue

Dates

Created:

17/Sep/15 1:34 AM

Updated:

17/Sep/15 1:34 AM