> With the help of the sequence numbers, one could perform traffic analyses > (e.g. determining > how many logins there are in a given timespan), which might be undesired.
You would need credentials in order to perform such an analysis. I suppose a curious user could perform this analysis on his or her SSO domain using his or her own credentials, but I would hope vigilant IDM sysadmins would note high rates of authentication for a single user and investigate. You suggested that the rates of authentication could be disclosed, which at first glance appears the only meaningful information to be gained from traffic analysis. I don't see how that information would be useful to an attacker. You could probably estimate fairly accurately the number of authentications per day by basing on organizational size. It's perfectly reasonable to expect an SSO session to last one day, so rough estimate on authentications per day is simply the number of users. For public universities in the US that information is publicly available; I would imagine it's not hard to determine for an organization generally. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
