[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Fwd: SAML Conformance SSL/TLS requirements
> Well, you are not "recommending", you are REQUIRING, which is my main point. > I believe the language in this section should be relaxed to say these cipher > suites are RECOMMENDED, rather than MTI. The point of conformance is to ensure points of commonality. If they aren't REQUIRED, then there is no guarantee that any two SAML components will share any cipher suites. The fact that this is unlikely to be an issue in practice doesn't change the goal. > It isn't part of the SAML specification, it's purely a > transport layer issue that (imho) is out of scope for these specs. It is important to ensure that the implementations of that transport layer by requesters and responders support a common set. The fact that some of may (or may not) choose to use existing off the shelf libraries to implement that transport is immaterial. This just forces implementers to pick good ones. Why is this different than making specific XML Sig algorithms MTI? Of course maybe you disagree with that too, as that would be consistent. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]