[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Fwd: SAML Conformance SSL/TLS requirements
On 8/15/05 6:08 PM, "Prateek Mishra" <prateek.mishra@oracle.com> wrote: > Eric Tiffany had asked the following question about conformance > specification > > [quote] >> I have a question about sections 5.1 and 5.2 of the SAML 2 conformance >> doc. These sections place requirements on "TLS-capable implementations", >> "FIPS TLS-capable implementations", etc., regarding required cipher suites. >> >> What do "TLS-capable", "FIPS TLS-capable" mean? I know what TLS and FIPS >> are, but who determines that an implementation is one or the other or >> both? Isn't the choice of cipher suite more of a deployment issue, and >> not something that SAML should define normatively? Whether a SAML >> implementation supports a particular cipher suite would seem to depend >> on the HTTP/SOAP webserver or appserver, not on the SAML code itself. I >> think this places some unsupportable requirements on SAML library >> implementors who may not control how their otherwise-conformant >> implementations are deployed. >> [end-quote] Just to emphasize, I am really asking two questions: 1) The terms "FIPS TLS-Capable" and "TLS-Capable" are not defined. What does this mean, precisely. 2) Why are the cipher suites indicated as MUST? also more below... > > All of Section 5 describes conformant use of SSL or TLS when deployed as > a part of a SAML implementation. [Rescorla] has the following text: > "SSL supports a variety of cipher suites, specifying the set of > algorithms used for the connection. These algorithms vary from very weak > exportable ciphers such as RC4 in 40-bit mode to (hopefully) very strong > ciphers such as 3DES. [...] It is therefore necessary to choose a cipher > suite commensurate with the value of your data". And this sort of contradicts your subsequent statements. If you should "choose a cipher suite commensurate with the value of your data", then SSTC should not be dictating a particular set of ciphers which may not be the best for a particular situation. > > This is precisely the goal of Section 5. We are recommending use of > specific cipher suites for SSL/TLS that are generally accepted to be of > adequate strength. It should be possible to configure SAML products > using SSL/TLS with these settings, and, indeed a conformance test should > include such a test. Well, you are not "recommending", you are REQUIRING, which is my main point. I believe the language in this section should be relaxed to say these cipher suites are RECOMMENDED, rather than MTI. It isn't part of the SAML specification, it's purely a transport layer issue that (imho) is out of scope for these specs. ET > > The FIPS piece of it has to do with additional qualification for > implementations that are required to meet standards set by the federal govt. > > - prateek > > [Rescorla] SSL and TLS, Designing and Building Secure Systems, > Addison-Wesley, 2001. > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- ____________________________________________________ Eric Tiffany | eric@projectliberty.org Interop Tech Lead | +1 413-458-3743 Liberty Alliance | +1 413-627-1778 mobile
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]