[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: HTTP binding
Bob - The only application we have identified (so far) for the artifact is in the Web browser profile. In this application, the associated assertion will not contain an authenticator: the subject is authenticated by mere possession. Don't you think? Best regards. Tim.
-----Original Message-----
From: George Robert Blakley III
[mailto:George_Robert_Blakley_III/Tivoli_Systems@us.ibm.com]
Sent: Wednesday, July 11, 2001 3:26 PM
To: Tim Moses
Cc: 'Oasis security services bindings'
Subject: Re: HTTP binding
All,
Just to play devil's advocate, does the SAML artifact really always convey
all rights & privileges upon its possessor?
I think not, if the subject field is "holder of key", and maybe not in
other circumstances.
--bob
Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564)
Chief Scientist, Security, Tivoli Systems, Inc.
Tim Moses <tim.moses@entrust.com> on 07/11/2001 02:15:16 PM
To: "'Oasis security services bindings'"
<security-bindings@lists.oasis-open.org>
cc:
Subject: HTTP binding
Colleagues - In preparation for tomorrow's telecon on the HTTP binding, let
me offer this thought ...
The HTTP binding may be used for message 4 in the Web browser profile. In
which case it will convey the SAML artifact. As knowledge of the artifact
confers on one all the identities and attributes of the genuine subject,
confidentiality is critical. Section 2.1.3.5 (Message confidentiality)
states that "HTTP/S may be used ... "
I feel that a statement to the effect that confidentiality of the artifact
is critical would be appropriate. Now, we may put such a statement in a
security considerations section, or in the browser profile section; it
doesn't have to be in 2.1.3.5. But, perhaps, it is appropriate to put a
reference in 2.1.3.5 to the place where the statement is made.
Best regards. Tim.
---------------------------------------------------------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC