[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [Action - Gil]: To make a proposal on the mandatory use of HTTPS
All, I am struggling with this action item. The issue originates from the mandatory use of HTTP(S) in 4.1.4.1 (SAML Artifact) and 4.1.4.3 (Form POST) between the browser equipped user and source and destination sites respectively. The essential issue therein is confidentiality of the SAML artifact (4.1.4.1) or SAML assertions (4.1.4.3). If we do not use HTTPS, the HTTP traffic between the user and source or destination can be copied and used for impersonation. There was concern at this requirement at the F2F#4 and as Gil is away the action item has fallen to me. But I am genuinely puzzled as to how we can move away from this requirement. (1) Should the text merely state that confidentiality is a requirement (MUST) (could be met in some unspecified way?) and that HTTPS MAY be used? I am opposed to this formulation as it is not specific enough to support inter-operability. How can a pair of sites collaborate to support the web browser profile if each uses some arbitrary method for confidentiality? (2) Another approach would be to require confidentiality (MUST) and specify HTTPS as a mandatory-to-implement feature. Those sites that prefer to use some other method for confidentiality can do so, but all sites must also support HTTPS. This ensures inter-operability as we can always fall back on HTTPS. Comments are invited. - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC