RE: Updated Issues List (draft-sstc-saml-issues-06.doc)

[Daniel Ash <Daniel.Ash@identrus.com>]

Title: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)

I agree that a SOAP and/or SMIME profile should indicate the use of signatures for subject authentication, however, what about other bindings?  I actually favor the approach where an XMLSIG profile of XML-Protocol indicate this functionality (as part of XML-P) so that any application and/or protocol bound to XML-P doesn't have to worry about it.  Though, in the short term, if many implementors plan to bind directly to HTTP then it might make sense to go with Tim's original suggestion.

 

-dan      

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Thursday, August 23, 2001 3:49 PM
To: 'OASIS Security Services group'
Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)

Hal - Perhaps you are right.  I originally thought this was a different issue (one solved by allowing the Subject element to he a digest of a "document", so that the assertion could be "about" the data, rather than about a person).  But, on rereading, the mention of SOAP and S/MIME seems to suggest a "store-and-Forward" communications model, with origin authentication based on the signer's signature over the data.

Can we conclude that Phill has the mandate to include the text proposed in my contribution ...

http://lists.oasis-open.org/archives/security-services/200108/msg00041.html

Or can we only append the text from the contribution to the description of the issue?

Best regards.  Tim.

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, August 23, 2001 3:06 PM
To: 'Tim Moses'; 'OASIS Security Services group'
Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)

Sorry to change my story, but I just noticed:

ISSUE:[DS-10-01: AttachPayload]

There is a requirement for assertions to support some structure to support
their "secure attachment" to payloads. This is a blocking factor to creating
a SOAP profile or a MIME profile. If needed, the bindings group can make a
design proposal in this space but we would like input from the broader
group.

Status: Open

Is this the same issue? Can we just add some text to it to include your
proposal?

Hal

> -----Original Message-----
> From: Tim Moses [mailto:tim.moses@entrust.com]
> Sent: Thursday, August 23, 2001 2:09 PM
> To: 'OASIS Security Services group'
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)
>
>
> Hal - The only written response to my contribution on this
> topic was from Dan Ash (and that was supportive).  I did
> speak with Phill about it, and (I think) he felt he needed
> the group's explicit instruction to include it.  I have
> suggested text on the topic for the SubjectConfirmation
> section, but that text was not included in Core 15.  I am
> trying to figure out how best to get the "group" to instruct
> Phill to include it in the next draft.  Best regards.  Tim.
> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Thursday, August 23, 2001 2:02 PM
> To: 'Tim Moses'; 'OASIS Security Services group'
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)
>
>
> Sorry, I just missed it. I will add it.
> 
> After doing a little research I am confused. At first I
> thought, we have a usecase for some kind of document exchange
> in a store and forward environment that would mandate this. I
> can't find one in draft-sstc-saml-reqs-01. The only thing I
> found is a requirement for an ebXML binding, which I suspect
> will require this, although I am not that familiar with
> ebXML. I also cannot find open of closed issues on this kind
> of a use case. Can anyone help me out? Does anyone from the
> usecase group remember if store and forward transactions are
> supposed to be in or out?
> 
> Assume the answer is "in", is this issue controversial?
> Personally I thought this was one of the intended uses of
> SubjectConfirmation. (I am having trouble following the
> discussion thread, because this was originaly one point among
> many in your comments.) Have there been any arguments against it?
> 
> Hal
> -----Original Message-----
> From: Tim Moses [mailto:tim.moses@entrust.com]
> Sent: Wednesday, August 22, 2001 4:21 PM
> To: 'OASIS Security Services group'
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)
>
>
> Hal - I do have one issue that I would like to raise.  I
> could offer to "champion" it, if it is appropriate.
> There is a need for a subject confirmation method based on a
> signature over a document.  Carlisle has dubbed this
> "unaccompanied data".  Also, see Dan Ash's posting on the topic ...
> http://lists.oasis-open.org/archives/security-services/200108/
msg00029.html
Should this method be added to section 4 of Core 15?
All the best.  Tim.
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Wednesday, August 22, 2001 10:51 AM
To: 'security-services@lists.oasis-open.org';
'security-editors@lists.oasis-open.org'
Subject: Updated Issues List (draft-sstc-saml-issues-06.doc)

The issues list has been updated to reflect recent discussions on the list.
Some arbitrary decisions were made about what are issues and what are merely

editorial comments. Please let me know if I have missed your issue.
The issue status report has been delayed but will be issued soon.
Hal