[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: HTTP binding
Tim, this issue is covered in 3.1.2 of the web browser profile of the bindings doc (0.04) lines 485-491. The web browser profile does not mandate the use of the SAML HTTP binding. For example, a SOAP binding may be preferred in some situations. The profile does require that the selected SAML binding MUST support confidentiality. - prateek -----Original Message----- From: Tim Moses [mailto:tim.moses@entrust.com] Sent: Wednesday, July 11, 2001 3:15 PM To: 'Oasis security services bindings' Subject: HTTP binding Colleagues - In preparation for tomorrow's telecon on the HTTP binding, let me offer this thought ... The HTTP binding may be used for message 4 in the Web browser profile. In which case it will convey the SAML artifact. As knowledge of the artifact confers on one all the identities and attributes of the genuine subject, confidentiality is critical. Section 2.1.3.5 (Message confidentiality) states that "HTTP/S may be used ... " I feel that a statement to the effect that confidentiality of the artifact is critical would be appropriate. Now, we may put such a statement in a security considerations section, or in the browser profile section; it doesn't have to be in 2.1.3.5. But, perhaps, it is appropriate to put a reference in 2.1.3.5 to the place where the statement is made. Best regards. Tim. ---------------------------------------------------------------------------- ----------- Tim Moses Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC