Skip to content

📝 Docs / Security threat-model document and advisory process #43

Description

@docJerem

Context

ex_saml positions itself as the actively maintained, security-focused successor to Samly. That claim is stronger when the security model is written down: what threats the library defends against, where the trust boundary sits, and how security issues are reported and disclosed.

Goal

Publish a security boundary / threat-model document and a lightweight advisory process.

Proposed scope

  • SECURITY.md (or docs/security_boundary.md):
    • Threat model: XXE / entity expansion, signature forgery, signature wrapping, key substitution via document-supplied KeyInfo, protocol violations (destination / audience / issuer / time), replay.
    • Trust boundary: signatures are verified against the configured IdP certificate fingerprints — never document-supplied KeyInfo (link to Core.Xml.Dsig / IdpData).
    • Explicit non-goals (e.g. OIDC/OAuth, IdP role).
    • Algorithm policy: accepted vs rejected signature/digest/encryption algorithms.
    • Coordinated disclosure contact + supported-versions table.
  • An advisory template under docs/advisories/ for future CVE-style write-ups (root cause, impact, affected versions, fix).

Why

Out of scope

  • Code changes — this is documentation + process only.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationmedium prioMedium priority

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions