potiuk opened a new pull request, #457: URL: https://github.com/apache/cxf-fediz/pull/457
**This is a draft proposal for the CXF PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainers are the decision-makers. Companion to the `apache/cxf` umbrella PR — Fediz's WS-Federation / SAML-SSO trust surface is distinct, so it gets its own model. This PR adds `THREAT_MODEL.md` + `AGENTS.md` and a Threat Model section in the existing `SECURITY.md`, wiring `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. The model's pivot: in SSO the security-relevant work is **token validation at the RP** and **issuance at the IdP**, around a token that travels through the *untrusted browser*. Draft-first, mostly inferred (~12 documented / 0 maintainer / ~46 inferred); every `*(inferred)*` claim routes to a numbered **§14** question. The **wave-1** rulings are the SSO crux: - By default, does the RP **require a valid signature from a trusted IdP cert** and reject unsigned/untrusted tokens? - Are **audience/`wtrealm`**, **`Conditions`** (timestamps + skew), and a **replay cache** enforced by default? - Does SAML processing defend **signature-wrapping (XSW)** by binding the verified signature to the consumed assertion? Also flagged: `wreply` reply-URL allow-listing (open redirect / token forwarding) and XXE/DoS on token parse (inherited from CXF/WSS4J). Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting. Drafted via the [threat-model-producer](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. If you'd rather author it yourselves, close this PR and we'll regroup. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
