20+ years I associated with folks who claimed to be expert in military key management (for certs, keys and the like). The whole concept of auto-refresh of asymmetric key management based on SAML metadata causes me gut wrench. I will NOT be using it (for the next 5 years). But, I can play with it, much as we played in the Win95 era with sending authenticode-signed PKCS7 certs-only blobs in PE metadata headers, to rekey windows trust. (And we should ALL know how that was abused for malicious ends, by various military cyber forces trying to plant logic bombs in foreign infrastructure, for use some rainy day).
An article says:
----------
There are some extra precautions you need to apply when auto-refreshing the validation keys from the application. The main threat you need to mitigate is DNS hijacking, where an attacker uses malware to point you to a malicious metadata document and induce your app to trust the wrong keys.
If you don’t override the .NET defaults for handling HTTP requests, the above scenario is already mitigated thanks to the fact that metadata documents are hosted on HTTPS endpoints. A DNS hijacking can redirect requests to a malicious endpoint, but such endpoint cannot pass the HTTPS server validation: not actually owning the domain on which metadata docs are hosted, the attacker cannot obtain an issued certificate for it, hence the client will be able to detect an issue with the server and avoid being misdirected.
http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx
------------
When I inserted a system net proxy in a web app the other day to have the local fiddler tool process (and its https capability MITM on the same windows host as IIS) intercept a ws-trust exchange with Azure ACS, some good things happened. The ws-trust client detected the interception attempt (on what is a critical endpoint). NO manner of (normal level) fiddling with trust certs or trust store could induce the ws-trust channel to connect - with the MITM in place.
Are the same countermeasures present when updating web.config with metadata-based certs obtained from https endpoint, including Azure ACS endpoints for metadata documents?