undefined | Better HN

0 pointstptacek5y ago0 comments

Yes: people shouldn't be using encoding/xml to implement SAML, at all. The library was already functionally problematic for SAML, because it doesn't fully implement namespaces. Nor does it implement `xml-exc-c14n`. For the IdP I wrote last year, I just wrote my own XML; it's not that big a deal.

Software security people have understood for a long time that XMLDSIG is sketchy, and that implementations often need to be "bug-compatible" to interoperate safely. SAML is an XMLDSIG protocol. I feel bad for putting it this way, but I think that reasonably skilled security engineers should be alarmed if their platform's standard XML library easily allows you to implement something that claims to be DSIG.

0 comments

jka5y ago

Meta-question: are software standards generally becoming more security-friendly over time?

tptacekOP5y ago

No, but software itself is, because of designs like WireGuard (which aren't formal standards) and software like libsodium and signify.

j / k navigate · click thread line to collapse

0 comments

jka5y ago

Meta-question: are software standards generally becoming more security-friendly over time?

tptacekOP5y ago

No, but software itself is, because of designs like WireGuard (which aren't formal standards) and software like libsodium and signify.

j / k navigate · click thread line to collapse