Francisco,
You are right, I was in error to suggest that it was a MUST.
I think my main concern was that security considerations should not be
based on polling developers/deployers of an existing or legacy protocol.
SAML does include some additional countermeasures though - for example
(lines 595-596, profiles document) - that specifically deal with the
artifact being leaked -
[quote]
The identity provider MUST ensure that only the service provider to whom
the <Response> message has
been issued is given the message as the result of an <ArtifactResolve>
request.
[\quote]
- prateek
Hi Prateek,
> I would like to strongly disagree with this proposal.
>
> It amounts to explicitly making OAuth 2.0 insecure so as to
> satisfy some mysterious and unspecified set of legacy OAuth
> 1.0 deployments.
>
> The SAML web SSO (artifact) profile - which shares many
> characteristics with the initial steps in OAuth - requires
> precisely such a counter-measure and is widely implemented
> in 1000s of deployments.
What counter-measure is this? Can you provide a reference?
Section 4.1.3.5 of
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
recommends TLS but does not require it.
Francisco
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
