Tuesday, February 12, 2008

Brown Bag

Today I tested the openinfocard id selector and the xmldap sts against the python relying party.
At first I got the dreaded "does not contain a InclusiveNamespaces element" error/info but this was easily fixed.

Here is a screenshot after I presented a token from a managed card issued by the xmldap STS (a local version; I will upload it soon to xmldap.org) to the python RP:


Here is a screenshot after I presented a token from a self-issued card to the python RP:


While looking at the python code I noticed that it checks whether the InclusiveNamespaces element is present but it does not test whether the PrefixList makes sense. Could somebody please write more about the brown bag attack, how a meaningful security token with InclusiveNamespaces looks like and describe how an attacker might exploit a missing InclusiveNamespaces element in a information card scenario? My guess is that this is more of a theoretical attack because if all connections are protected by SSL than either id selector or STS must be compromised. I guess that you have more troubles than forged signatures when either case it true.

No comments: