[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: SAML Conformance SSL/TLS requirements
Eric Tiffany had asked the following question about conformance specification [quote] I have a question about sections 5.1 and 5.2 of the SAML 2 conformance doc. These sections place requirements on "TLS-capable implementations", "FIPS TLS-capable implementations", etc., regarding required cipher suites. What do "TLS-capable", "FIPS TLS-capable" mean? I know what TLS and FIPS are, but who determines that an implementation is one or the other or both? Isn't the choice of cipher suite more of a deployment issue, and not something that SAML should define normatively? Whether a SAML implementation supports a particular cipher suite would seem to depend on the HTTP/SOAP webserver or appserver, not on the SAML code itself. I think this places some unsupportable requirements on SAML library implementors who may not control how their otherwise-conformant implementations are deployed. [end-quote] All of Section 5 describes conformant use of SSL or TLS when deployed as a part of a SAML implementation. [Rescorla] has the following text: "SSL supports a variety of cipher suites, specifying the set of algorithms used for the connection. These algorithms vary from very weak exportable ciphers such as RC4 in 40-bit mode to (hopefully) very strong ciphers such as 3DES. [...] It is therefore necessary to choose a cipher suite commensurate with the value of your data". This is precisely the goal of Section 5. We are recommending use of specific cipher suites for SSL/TLS that are generally accepted to be of adequate strength. It should be possible to configure SAML products using SSL/TLS with these settings, and, indeed a conformance test should include such a test. The FIPS piece of it has to do with additional qualification for implementations that are required to meet standards set by the federal govt. - prateek [Rescorla] SSL and TLS, Designing and Building Secure Systems, Addison-Wesley, 2001.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]