undefined | Better HN

0 pointsByteJockey5y ago0 comments

But the problem here isn't he encryption. Well, for all I know, the encryption could be completely broken, I'm not a crypto-expert.

But the problem described in the post wasn't the encryption. It was the logic. Specifically the order that things are done in. Parsing something before verifying it can be dangerous.

0 comments

nine_k5y ago

Indeed! Let's scratch the XMLDSIG entirely and replace it with a sane scheme.

Does SAML have enough salvageable parts to try fixing that, instead of going with something completely different? SAML is so pervasive that migrating off it can't be cheap or easy.

j / k navigate · click thread line to collapse

0 pointsByteJockey5y ago0 comments

But the problem here isn't he encryption. Well, for all I know, the encryption could be completely broken, I'm not a crypto-expert.

But the problem described in the post wasn't the encryption. It was the logic. Specifically the order that things are done in. Parsing something before verifying it can be dangerous.

0 comments

nine_k5y ago

Indeed! Let's scratch the XMLDSIG entirely and replace it with a sane scheme.

Does SAML have enough salvageable parts to try fixing that, instead of going with something completely different? SAML is so pervasive that migrating off it can't be cheap or easy.

j / k navigate · click thread line to collapse