> Is there a list of the security risks/advantages? The security benefits of Web single sign-on generally apply to CAS; the primary benefit is limiting credential exposure to a single trusted broker (the CAS server). Other security benefits are particular to the implementation of CAS and the various protocols it supports. The use of cryptographically secure one-time-use tokens is one such benefit that comes to mind.
The benefits you mentioned originally are more or less orthogonal to CAS per se since the CAS server could conceivably be vulnerable to the attacks you mentioned. In practice, however, CAS helps limit the surface area of attacks like these since you can focus on securing the CAS server as the single software system that interfaces with sensitive credential and user details services. Many developers have reviewed the CAS codebase and considered system implementation concerns and have contributed that insight to secure the product. I'm confident to assert it's at the top of the Web SSO product space in terms of security. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
