On Sep 29, 2011, at 3:05 PM, Andrew Petro wrote: > It is the case that an adversary intercepting a service ticket and then > validating it against the attribute-release-supporting SAML endpoint in CAS > is sufficient to lay hands on whatever user attributes would be released to > the legitimate application for which the ST was intended.
Provided they could: 1) block the intended recipient from receiving the ticket or 2) beat the intended recipient in a race to use the ticket or 3) block the recipient from using the ticket against the CAS server? Or is there something I'm missing there. Thanks for the explanation on proxy security, btw.<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Sep 29, 2011, at 3:05 PM, Andrew Petro wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">It is the case that an adversary intercepting a service ticket and then validating it against the attribute-release-supporting SAML endpoint in CAS is sufficient to lay hands on whatever user attributes would be released to the legitimate application for which the ST was intended.</span></blockquote></div><br><div>Provided they could: 1) block the intended recipient from receiving the ticket or 2) beat the intended recipient in a race to use the ticket or 3) block the recipient from using the ticket against the CAS server? Or is there something I'm missing there.</div><div><br></div><div>Thanks for the explanation on proxy security, btw.</div></body></html> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
