Uploaded image for project: 'OASIS Security Services (SAML) TC'
  1. OASIS Security Services (SAML) TC
  2. SECURITY-28

No mention of freshness or replay detection in SAML protocols or profiles

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: SAML 2.0 + Approved Errata 05
    • Fix Version/s: None
    • Component/s: Bindings, Core, Profiles
    • Labels:
      None
    • Proposal:
      Hide

      Tentative, but I suggest we consider adding language to Core and Bindings that makes freshness checking and replay detection a recommended practice. If we can't make specific use cases a MUST, we should avoid the confusion and complexity of trying to limit the guidance to only certain scenarios and just make it a general recommendation as a SHOULD.

      Show
      Tentative, but I suggest we consider adding language to Core and Bindings that makes freshness checking and replay detection a recommended practice. If we can't make specific use cases a MUST, we should avoid the confusion and complexity of trying to limit the guidance to only certain scenarios and just make it a general recommendation as a SHOULD.

      Description

      The Security Considerations document provides some minimal discussion of risks that are mitigated through freshness checks or replay checks, but the actual spec set says nothing about the use of the IssueInstant or ID attributes at the protocol layer.

      Discussion of bearer assertion or artifact replay checking exists, but nothing at the protocol layer.

      This is a significant omission depending on specific use cases, such as the use of signed messages in place of mutual TLS in the SOAP binding, or with the use of signed AuthnRequests or LogoutRequests in various profiles.

        Attachments

          Activity

            People

            • Assignee:
              cantor.2 Scott Cantor
              Reporter:
              cantor.2 Scott Cantor
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: