OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Fwd: SAML Conformance SSL/TLS requirements


Eric Tiffany had asked the following question about conformance 
specification

[quote]
I have a question about sections 5.1 and 5.2 of the SAML 2 conformance 
doc. These sections place requirements on "TLS-capable implementations", 
"FIPS TLS-capable implementations", etc., regarding required cipher suites.

What do "TLS-capable", "FIPS TLS-capable" mean? I know what TLS and FIPS 
are, but who determines that an implementation is one or the other or 
both? Isn't the choice of cipher suite more of a deployment issue, and 
not something that SAML should define normatively? Whether a SAML 
implementation supports a particular cipher suite would seem to depend 
on the HTTP/SOAP webserver or appserver, not on the SAML code itself. I 
think this places some unsupportable requirements on SAML library 
implementors who may not control how their otherwise-conformant 
implementations are deployed.
[end-quote]

All of Section 5 describes conformant use of SSL or TLS when deployed as 
a part of a SAML implementation. [Rescorla]  has the following text: 
"SSL supports a variety of cipher suites, specifying the set of 
algorithms used for the connection. These algorithms vary from very weak 
exportable ciphers such as RC4 in 40-bit mode to (hopefully) very strong 
ciphers such as 3DES. [...] It is therefore necessary to choose a cipher 
suite commensurate with the value of your data".

This is precisely the goal of Section 5. We are recommending use of 
specific cipher suites for SSL/TLS that are generally  accepted to be of 
adequate strength. It should be possible to configure SAML products 
using SSL/TLS with these settings, and, indeed a conformance test should 
include such a test.

The FIPS piece of it has to do with additional qualification for 
implementations that are required to meet standards set by the federal govt.

- prateek

[Rescorla]  SSL and TLS, Designing and Building Secure Systems, 
Addison-Wesley, 2001.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]