OK. Looks like today at 11:00 ET is going to work for folks. Here are the coordinates:
Start Time: Friday, February 08, 2013 at 11:00 AM (GMT -05:00), US - Eastern Duration: 1 hour URL: http://apps.calliflower.com/conf/show?guid=c6b3794e12058ca1e0dadb0a8c9b9d8b2b1a5396 Conference Code: 4397017 PIN: 1949898 Agenda: cas-appsec, introductions, security issues, coordinate/collaborate on deliverables, and other activities. Best, Bill On Mon, Feb 4, 2013 at 2:35 PM, William G. Thompson, Jr. <wgt...@gmail.com> wrote: > On Fri, Feb 1, 2013 at 12:00 PM, Sweere, Kevin > <kevin.sweere....@gafg.afrl-wrs.hpc.mil> wrote: >> Sir, >> >> Yes, I'd love to participate. I'm a cyber-security researcher, but not a >> coder. > > Excellent! > > I'm proposing a cas-appsec group to explorer these issues, > coordinate/collaborate on deliverables, and other activities. I > think it would be helpful to kick this off with a conf call and then > see where we go from there. > > We are looking for additional volunteers and participants. If you are > interested please let me know or just add your name to the doodle. > > http://doodle.com/papnz5mfuzdhacug > > I'll send out call logisitics once we firm up a time. > > Best, > Bill > > >> >> I'll try to drag in my coding co-worker who's building & deploying CAS >> LiveCD webSSOs. I'll also invite those whom run static & dynamic software >> security analysis tools... and attack tools. >> >> K >> >> >> On Thu, Jan 31, 2013 at 4:52 PM, William G. Thompson, Jr. <wgt...@gmail.com> >> wrote: >>> >>> Kevin, >>> >>> Thanks for bringing this up. There's been some discussion of spinning >>> up an AppSec group for CAS to help maintain something like. Is this >>> something you could participate in? I'd like to see the community >>> maintain something of a security audit as well. >>> >>> The best doc to answer your question at the moment is the CAS Protocol >>> doc: >>> http://www.jasig.org/cas/protocol >>> >>> Best, >>> Bill >>> >>> >>> On Thu, Jan 31, 2013 at 4:28 PM, Sweere, Kevin >>> <kevin.sweere....@gafg.afrl-wrs.hpc.mil> wrote: >>> > Hello, >>> > >>> > To greatly decrease risk to a CAS server, it should only receive clean, >>> > safe >>> > data from external elements. For example, a CAS webSSO receives SAML >>> > messages created by XYZ.com and sent from untrusted user browsers from >>> > around the world. It may also receive CRL or OCSP data to check that >>> > user's >>> > PKI. An intermediate filter can stop unwanted, dangerous data before it >>> > even reaches the CAS's NIC. Less effective but acceptable are filters >>> > within the CAS server. >>> > >>> > Data that is safely usable by CAS must be allowed while everything else >>> > should be denied. What is the allowable text for incoming messages? >>> > Formats? Lengths? What filters exist to do this? (Besides the obvious >>> > - >>> > URLs, PPS) >>> > >>> > Thanks, Kevin Sweere, Air Force Research Lab >>> > >>> > -- >>> > You are currently subscribed to cas-dev@lists.jasig.org as: >>> > wgt...@gmail.com >>> > To unsubscribe, change settings or access archives, see >>> > http://www.ja-sig.org/wiki/display/JSG/cas-dev >>> >>> -- >>> You are currently subscribed to cas-dev@lists.jasig.org as: >>> kevin.sweere....@gafg.afrl-wrs.hpc.mil >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> >> -- >> You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
