Assurance

[Russell J Yount <>]

Yes, there is a lot or poorly designed software out there.

In the response to "4.2.5.5 SESSION AUTHENTICATION" perhaps stating

"The Shibboleth IdP employees SSL encryption along with a secure cookie 
management strategy for session maintenance."

may make sense.

-Russ

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Wednesday, August 08, 2012 1:28 PM
To: 

Subject: Re: [Assurance] Addressing InCommon IAP & Shibboleth IdP

On 8/8/12 1:16 PM, "Russell J Yount" 
<>
 wrote:

> 
>Shouldn¹t the scenarios of  an attacker creating a cookie and its 
>contents, places it in the browser cache, then visits the IDP which 
>recognizes the cookie  as a valid session be addressed also?
> 
>SSL only addresses the security of the communications between browser 
>and IdP.  There are other techniques  employed to prevent the use of a 
>non-IdP created  cookie that could fool the IdP into believing the 
>browser has an authenticated session.

Which ones do you think should be required? What if a product out there 
doesn't do some of them? I ask that because I know it's true.

It's a somewhat dangerous road to go down, that's all I'm saying.

-- Scott