Can you give more information on SEC_6: Check /validate and /serviceValidate urls against the list of the trusted certificates using the checkAgainstCertificates flag defined for each service (true by default)
The client isn't sending a certificate when connecting to /serviceValidate, so are you proposing that the CAS server connect back to the provided URL and get the certificate to verify? That seems like a lot of overhead and, maybe I'm missing something, but I don't see what attack this check would be protecting the server or client from. -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edu ________________________________ From: J?r?me LELEU <lel...@gmail.com> Sent: Tuesday, September 03, 2013 3:05 PM To: cas-dev@lists.jasig.org Subject: [cas-dev] Improve CAS security Hi, As some of you may already know, a CAS AppSec Working Group has been created to work on CAS security : https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group. We have spent time analysing and discussing potential threats. So we are now at the point where we have listed security proposals to improve CAS security : https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks. I'm looking forward to your feedbacks. I'd like to draw attention also on the fact that : - I'm willing to implement these proposals if an agreement is reached through this thread - proposals which are easy and backward compatible can be implemented quickly for version 4.0. Thanks. Best regards, J?r?me -- You are currently subscribed to cas-dev@lists.jasig.org<mailto:cas-dev@lists.jasig.org> as: epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
