[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-bindings] soap bindings edits
Rich, Thanx for your comments. >> >>63-64, SOAP *requires* XML namespace. It's not just that >>"some parsers" >>need it, it's that SOAP itself requires it. >> This is a recommendation that SAML elements be used with full namespace qualification. Based on previous discussion, this comment is not very helpful and I will remove it from the text. >>124-125, authentication need not be based on the underlying transport; >>cf the W3C note on "Signed soap" and the recent IETF I-D on digest and >>basic auth for soap (draft-cunnings-salz-soap-auth). >> Indeed, there are very many new and exciting security models proposed for XML messaging. It is not a task for the SAML SOAP binding to investigate or work with these models. Instead, our task is to call out a minimum set of standard (basic auth, SSL certs) and widely deployed security models for SOAP/HTTP as MANDATORY-TO-IMPLEMENT. >>Because of this, I believe lines 78-79, additional SOAP >>header elements >>are not allowed, are incorrect. >> /r$ You have a misunderstanding here. We are merely stating that a compliant receiver of a SAML over SOAP message cannot REQUIRE additional headers to be present. You are free to add as many headers as you like. The final docs will definitely include PDF versions. - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC