I apologize for sounding alarmist, Scott. My intent was actually to not raise any false concern.
In essence, we had 3 questions/concerns: 1. How long are one-time use tickets good for before expiration? 2. Has it been determined that the ticket generation process is sufficiently random that it is not predictable? 3. Is there any ability to authenticate the source of the ticket validation response, e.g., via a shared secret or PKI? This would prevent DNS spoofing. And with respect to the formal security review, I am merely wondering if any group (third-party or internal) had conducted a threat model or similar and made the results publicly accessible. In particular, I was wondering whether CAS was intended for federated authentication or was aimed more at the institution level. Some additional digging in the mailing lists did turn up the following post which suggests that federated authentication should be based either on SAML or Shibboleth, whereas CAS is more suited at the institution. http://tp.its.yale.edu/pipermail/cas-dev/2005-January/000134.html I should note that for our purposes, we are playing in the federated space. -Chris On Dec 6, 2007 12:48 PM, Scott Battaglia <[EMAIL PROTECTED]> wrote: > Chris, > > If your team has what you feel are legitimate security concerns, please > contact the JASIG Security Team: > http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group > > If you have questions about how CAS works or do not understand particular > details, please detail your questions/comments/concerns to the list. Please > do not merely state "some concerns were raised" and not follow through on > raising them as that leaves everyone here wondering what is going on when it > may or may not be a real concern. > > I'm not sure what you mean by formal security review. Are you > interested in a comparison of the CAS protocol or the CAS server > application? Because comparing it to SAML compares the protocol, while > comparing it to Shibboleth compares the applications. > > Thanks > -Scott > > On Dec 6, 2007 1:25 PM, Chris Hatton <[EMAIL PROTECTED]> wrote: > > > Hello, everyone, > > > > I am considering adoption of CAS for an third-party integration with our > > platform, but we require formal security reviews prior to adoption of any > > new means of authentication. We conducted a brief review internally, but > > some concerns were raised (admittedly those concerns could be related > > entirely to our own naivety). > > > > Is anyone aware of any formal security reviews that have been conducted > > on CAS? Any relative comparisons of CAS vs. SAML? CAS vs. Shibboleth? > > > > Any information you could provide is appreciated... > > > > Thanks, > > Chris Hatton > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
