Dear CAS Community, The CAS Steering Committee was recently presented with a paper that detailed some of the risks of protocols that use bearer tokens. The paper specifically mentioned CAS, though just about all protocols that use bearer tokens are subject to these risks.
The Steering Committee has drafted a formal response to this paper and encourages you to read it (the response specifically, but feel free to read the paper also!): https://wiki.jasig.org/display/CASST/Mitigating+Risk+due+to+the+Inherent+Characteristics+of+Bearer+Tokens We've also started a document where the CAS community can collaborate on best practices for securing their applications (its a bit sparse right now, but we expect it to grow): https://wiki.jasig.org/display/CASC/Client+Security+Recommendations We encourage you to read and contribute to this document. We take security and usability of the CAS Server and Clients seriously. Future releases of the CAS Server and CAS clients will continue to take a lead in implementing security and usability best practices in order to protect users. Look for some of those to appear in the CAS Server 3.5 release. If you have any questions, please do not hesitate to contact the steering committee. Thanks Scott -- Scott Battaglia Chair, Jasig Central Authentication Service Steering Committee (sent on behalf of the entire CAS Steering Committee) -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
