On 7/24/14, 11:41 AM, "Josh Howlett" <[email protected]> wrote: > >Ah yes, the slides were not explicit about this, sorry. The assertion >would be scoped to an <Audience> (the valid destination) using the >proposed format, signed by the issuer, and use a standard SAML entity >identifier to identify itself. The recipient, having validated the >signature against the metadata, could validate itself as the intended ><Audience>.
I'm not sure what your threat model is, but that doesn't really prevent a MITM. The binding-level protections in SAML are not Audience, but Destination/Recipient attributes, because those are actual network endpoints. Audience is like a message-level constraint on the very end of the chain of hops, but it can't limit the chain of hops. If I understand the point of Sam's comment, he's concerned about the same problem I can't really solve in SAML-EC, which is that the client is essentially driving the bus here, and not the IdP, so there isn't any way to control what endpoint(s) the message can be delivered to. The only fix for me was channel binding as a backstop to prevent MITM attacks, because in my model the IdP is the one validating the channel binding for the two parties trying to communicate. (If I'm not talking about the same problem, just dismiss my comment.) -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
