OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Per AI #0169 (Draft formal response to IBM research report on SAML)


SSTC colleagues,

Along with this message, I've now uploaded an initial working draft of a
response to the Gross paper as a basis for review and comment.  I have
conflicts against at least most of the group call slot tomorrow (13 July),
but solicit e-mail discussion in advance of its consideration at a later
meeting, once the shorter-fused V2.0 last call documents have been handled
appropriately.  In a number of places, I've attempted to intuit and/or
assert an interpretation on behalf of the SSTC; please take a look and see
if you agree with the indicated positions. 

As I reread the Gross paper along with the minutes from its discussion at
the Toronto meeting, one point struck me that I thought was worth raising to
the group: Given that (per bindings-1.0, secs. 4.1.1.3 and 4.1.1.7), SAML
cites the steps of Accessing the Inter-Site Transfer Service and Responding
to the User's Request For a Resource as steps within the BAP, I don't think
it's unreasonable for an independent reader or evaluator to draw the
conclusion that these processes are within SAML's scope (and, hence, that
SAML might take a role in protecting them), rather than ancillary stages in
an overall scenario of which SAML per se is another part.  We may want to
consider if there's possible wording or structure that more explictly
delimits the boundaries of where SAML starts and ends. 

--jl







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]