I can answer most of these questions :-) On Dec 6, 2007 4:24 PM, Chris Hatton <[EMAIL PROTECTED]> wrote:
> I apologize for sounding alarmist, Scott. My intent was actually to not > raise any false concern. > > In essence, we had 3 questions/concerns: > > 1. How long are one-time use tickets good for before expiration? I believe the default time is 5 minutes (or one use). The length of time its valid for is actually configurable though. > > 2. Has it been determined that the ticket generation process is > sufficiently random that it is not predictable? The Ticket Generation process uses Java's SecureRandom which as far as I know has not had anyone not declare it sufficiently random. Also, via configuration, you can specify the length of randomness required. > > 3. Is there any ability to authenticate the source of the ticket > validation response, e.g., via a shared secret or PKI? This would prevent > DNS spoofing. All requests for validation should go over SSL. Therefore your CAS server must either use a commercial certificate (which can be independently verified) or a local certificate (local being a local CA) that you must explicitly tell your client to trust. > > > And with respect to the formal security review, I am merely wondering if > any group (third-party or internal) had conducted a threat model or similar > and made the results publicly accessible. I am not aware of any formal review, though there has been plenty of discussion and debate which is probably floating around. One of the people from Yale may be able to speak more about any formal review of the protocol as it originated there. > In particular, I was wondering whether CAS was intended for federated > authentication or was aimed more at the institution level. Some additional > digging in the mailing lists did turn up the following post which suggests > that federated authentication should be based either on SAML or Shibboleth, > whereas CAS is more suited at the institution. The original CAS protocol is best suited for scenarios where you are only authenticating against a single authority (though cross-domain works fine if that is all you need). We've added support for OpenId, SAML 1.1 and SAML 2.0 is on our roadmap, but there is no timeline at this moment. We actually do support basic SAML 2.0 but its only been tested with respect to Google Apps. Hope that helps. Let me know if you have any more questions. -Scott > > > http://tp.its.yale.edu/pipermail/cas-dev/2005-January/000134.html > > I should note that for our purposes, we are playing in the federated > space. > > -Chris > > > > On Dec 6, 2007 12:48 PM, Scott Battaglia <[EMAIL PROTECTED]> > wrote: > > > Chris, > > > > If your team has what you feel are legitimate security concerns, please > > contact the JASIG Security Team: > > http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group > > > > If you have questions about how CAS works or do not understand > > particular details, please detail your questions/comments/concerns to the > > list. Please do not merely state "some concerns were raised" and not follow > > through on raising them as that leaves everyone here wondering what is going > > on when it may or may not be a real concern. > > > > I'm not sure what you mean by formal security review. Are you > > interested in a comparison of the CAS protocol or the CAS server > > application? Because comparing it to SAML compares the protocol, while > > comparing it to Shibboleth compares the applications. > > > > Thanks > > -Scott > > > > On Dec 6, 2007 1:25 PM, Chris Hatton <[EMAIL PROTECTED]> wrote: > > > > > Hello, everyone, > > > > > > I am considering adoption of CAS for an third-party integration with > > > our platform, but we require formal security reviews prior to adoption of > > > any new means of authentication. We conducted a brief review internally, > > > but some concerns were raised (admittedly those concerns could be related > > > entirely to our own naivety). > > > > > > Is anyone aware of any formal security reviews that have been > > > conducted on CAS? Any relative comparisons of CAS vs. SAML? CAS vs. > > > Shibboleth? > > > > > > Any information you could provide is appreciated... > > > > > > Thanks, > > > Chris Hatton > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > > -- > > -Scott Battaglia > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
