Re: [security-services] MTI security models for SOAP Binding

["Eve L. Maler" <Eve.Maler@Sun.COM>]

Somewhat OT: Something like this appeared in the SAML V1.x conformance 
doc, right?  There were other conformance considerations included in 
that document that we may want to bring forward (things like maximum 
number of nested elements etc.).

	Eve

Mishra, Prateek wrote:

> The SAML SOAP binding makes an appearance in 4 profiles:
> 
> (1) Web SSO Profile (via the Artifact Resolution Profile)
> (2) AssertionQuery/Request Profile (AttributeQuery,
> AuthorizationDecisionQuery, AssertionIDRequest)
> (3) NameID Mgmt
> (4) Single Logout
> 
> Conformance-04 does not as yet include any MTI security models for the SOAP
> binding. 
> 
> Proposal to add text to conformance-04 (starting at line 134)
> 
> 2.3 Security models for SOAP Binding
> 
> The following security models are MTI for profiles that use the SOAP
> binding. The SAML requester and responder MUST implement the following
> authentication methods:
> 
> 1. No client or server authentication. 
> 
> 2. HTTP basic authentication [RFC2617] with and without SSL 3.0 or TLS 1.0.
> The SAML requester MUST preemptively send the authorization header with the
> initial request.  
> 
> 3. HTTP over SSL 3.0 or TLS 1.0 (see Section 6) server authentication with a
> server-side certificate. 
> 
> 4. HTTP over SSL 3.0 or TLS 1.0 mutual authentication with both server-side
> and a client-side certificate. 
> 
> If a SAML responder uses SSL 3.0 or TLS 1.0, it MUST use a server-side
> certificate. 
> 
> 
> 
> 
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
> 
> 

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com