[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Minutes of Bindings Con-Call, July 12
Attendees: ------------- Carlisle Adams Evan Prodromou Simon Godzik Prateek Mishra Agenda: HTTP Binding (Section 2.1 from bindings 0.4) -------------------------------------------------------------------- (1) Digital Signing: Section 2.1.3.4.1 describes specifics of the use of XML-DSIG for signing request/response messages (e.g., enveloped, enveloping etc.). The general suggestion was that instead we should call out a SAML profile for DSIG separately and refer to it here. Evan P. has volunteered to drive this effort forward. Detached Signatures: should the SAML profile support detached signing? The group couldnt find any good examples in SAML where support for detached signatures is needed. (2) Comments on 2.1.3.4: Authentication and Message Integrity Text needs to be tightened up and also state: (a) Request/Response messages that pass thru intermediaries MUST be digitally signed. (b) If a requester and responder communicate with each other without the use of intermediaries, then mutual authentication using client-certificates over HTTPS may be used. (3) Comments on 2.1.3.5: Confidentiality Two issues here: (a) consensus that a server-side certificate MUST be required with SSL and that the text needs to be changed to reflect this. SSL supports a model in which neither end requires a certificate (``Diffie-Hellman Key Exchange'') but this isnt widely deployed. (b) open issue raised by Simon, whether the binding should also encompass use of other techniques for confidentiality, such as those based on a secret key. There seemed to be some resistance to this from the group. I will carry this forward as an open issue [ISSUE:Bindings-HTTP-01]. (4) 2.1.3.6.2 400 Bad Request Text should be changed to reflect that only HTTP level errors (headers, unknown URL) generate a 400 Bad Request. All SAML level errors will be included within a SAML response and not exposed at the HTTP level. (5) Boxcarring How to bundle multiple SAML requests within a single HTTP request? The 0.4 HTTP binding does not have discussion of this topic. There were two opinions in this space: (a) SAML requires a general boxcarring solution, which should be called out by the core assertions&protocols group. (b) a solution specific to a particular binding is acceptable and may also be simpler to implement. I will carry this forward as [ISSUE:Bindings-HTTP-02] and report on this to the TC. (6) Cache control Headers There was some discussion of this topic, but on reviewing my notes I found it somewhat unclear. Simon has sent a message on the topic [Simon] but it appears to be related to 3 (b) above. Does the discussion imply that we should always REQUIRE the HTTP 1.1 header: Cache-Control: no-cache OR Pragma: no-cache (HTTP 1.0) and include this header in the list of required headers (2.1.3.2)? [ISSUE:Bindings-HTTP-03] [Simon] http://lists.oasis-open.org/archives/security-bindings/200107/msg00007.html <http://lists.oasis-open.org/archives/security-bindings/200107/msg00007.html >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC