4 messages in org.oasis-open.lists.security-coreRe: Interim requirements II!| From | Sent On | Attachments |
|---|---|---|
| Philip Hallam-Baker | Jan 25, 2001 2:08 pm |  .bin, .bin |
| Stephen Farrell | Jan 26, 2001 2:57 am | |
| Geor...@tivoli.com | Jan 26, 2001 8:42 am | |
| Stephen Farrell | Jan 26, 2001 9:11 am |
| Subject: | Re: Interim requirements II! | |
|---|---|---|
| From: | Stephen Farrell (step...@baltimore.ie) | |
| Date: | Jan 26, 2001 2:57:22 am | |
| List: | org.oasis-open.lists.security-core | |
One more addition, and a question.
[R-DoS] Ensure that assertions (and later protocols, bindings) do not unnecessarily offer DoS opportunities & if they have to, then this to be called-out in the specification.
Basic thing to be aware of is where a URI is received and de-referenced. Soon as you do that, you might be in trouble. Countermeasures built around de-referencing after peer entity or message authentication (and careful coding:-).
The question is do we want:
[R-ReAuth] Ability for server to signal that re-authenticaiton is required where you'd normally expect an authorization decision.
I didn't phrase that too well, but I guess folks'll recognize the issue.
Stephen.
Philip Hallam-Baker wrote:
Try the second:
This time as an attachment.
Phill
Phillip Hallam-Baker Principal Scientist VeriSign Inc. pba...@verisign.com 781 245 6996 x227
---------------------------------------------------------------------------------------------------- Name: s2ml_requirements_analysis.htm s2ml_requirements_analysis.htm Type: Hypertext Markup Language (text/html) Encoding: QUOTED-PRINTABLE
--
____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:step...@baltimore.ie Ireland http://www.baltimore.com