OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Fw: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploaded



Regards

Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect

hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455



----- Forwarded by Heather Hinton/Austin/IBM on 01/31/2006 11:44 AM -----
Heather Hinton/Austin/IBM

01/30/2006 04:44 PM

To
<jmoreh@sigaba.com>
cc
Subject
RE: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploadedLink




There was an email chain, but our excessively aggressive mail archiving policies mean that I no longer have it (as it is more than 30 days old). However, the issue was simply around key location within saml:EncryptedData. In particular, we believe that the XML Encryption specification was not properly followed for the referencing of keys for encrypted data. While the approach used by other vendors certainly worked, it required that you have advanced knowledge of how to locate the keys used to encrypt data, and it was also limited to situations where you may have needed more than one key within a message.

To clarify the situation, we propose the following errata:

Errata/Clarification to <sstc-saml-core-2.0-cd-04.pdf>, where added text is defined like this

<sstc-saml-core-2.0-cd-04.pdf>
6.1 General Considerations
Encryption of the <Assertion>, <BaseID>, <NameID> and <Attribute> elements is provided by use
of XML Encryption [XMLEnc]. Encrypted data and optionally one or more encrypted keys MUST replace
the cleartext information in the same location within the XML instance. The <EncryptedData> element's
Type attribute SHOULD be used and, if it is present, MUST have the value
http://www.w3.org/2001/04/xmlenc#Element.

If an encrypted key is NOT included in the transmitted XML, then the application must be able to locally determine the key, per XML Encryption.

 If the encrypted key is included with the transmitted XML, then it SHOULD be referenced within the EncryptedData or embedded within the EncryptedData. When referenced within the EncryptedData,  the KeyInfo MUST include the defined RetrievalMethod.

Example: The parent element (saml:EncryptedID) contains the EncryptedData and the (referenced) EncryptedKey as siblings (note that the key can in fact be anywhere in the same document) :

        <saml:EncryptedID
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <xenc:EncryptedData
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="a21613ec-0106-e058-840b-e4c694f070ed"
                        Type="http://www.w3.org/2001/04/xmlenc#Element">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                        <KeyInfo xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                                <RetrievalMethod
                                        URI="#a21613ec-0106-e058-840b-e4c694f070ed"
                                        xmlns="http://www.w3.org/2000/09/xmldsig"
                                        Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
                        </KeyInfo>
                        <xenc:CipherData>
                                <xenc:CipherValue>
                                        Nk4W4mx...
                                </xenc:CipherValue>
                        </xenc:CipherData>
                </xenc:EncryptedData>

                <xenc:EncryptedKey Id="a21613ed-0106-e16b-2d8f-e4c694f070ed"
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        <xenc:EncryptionMethod
                                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
                        </xenc:EncryptionMethod>.
                        <xenc:CipherData> <xenc:CipherValue>
                                        PzA5X...
                        </xenc:CipherValue></xenc:CipherData>
                </xenc:EncryptedKey>
        </saml:EncryptedID>

Example: EncryptedKey is contained and referenced within the EncryptedData:
        <saml:EncryptedID
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <xenc:EncryptedData Id="a21613ec-0106-e058-840b-e4c694f070ed"
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Type="http://www.w3.org/2001/04/xmlenc#Element">
                        <xenc:EncryptionMethod
                                Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                        </xenc:EncryptionMethod>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                          <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="a21613ed-0106-e16b-2d8f-e4c694f070ed">
                                               <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                                               <CipherData><CipherValue>SDFSDF....OFQBg=</CipherValue></CipherData>
                                          </EncryptedKey>
                             </KeyInfo>
                        <xenc:CipherData> <xenc:CipherValue>
                                        Nk4W4mx...
                        </xenc:CipherValue> </xenc:CipherData>
                </xenc:EncryptedData>
        </saml:EncryptedID>

In some cases, legacy implementations of SAML may implicitly identify the KeyInfo, simply through inclusion of EncryptedKey, together with EncryptedData, within the SAML EncryptedID. Note that this approach MUST NOT be used when there is to be more than one instance of  EncryptedID in the transmitted XML or more than one EncryptedKey is included in the transmitted XML.

Any of the algorithms defined for use with XML Encryption MAY be used to perform the encryption. The
SAML schema is defined so that the inclusion of the encrypted data yields a valid instance.
</sstc-saml-core-2.0-cd-04.pdf)


Regards

Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect

hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455





"Jahan Moreh" <jmoreh@sigaba.com>

01/30/2006 02:51 PM
Please respond to
jmoreh

To
Heather Hinton/Austin/IBM@IBMUS
cc
Subject
RE: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploaded





Heather -
Was there an email regarding this erratum at all? If so, please send me the email link. If not, kindly write a simple description of the erratum and the proposed text to resolve the issue and I will add it to the errata doc.
 
Thanks,
Jahan
 


From: Heather Hinton [mailto:hhinton@us.ibm.com]
Sent:
Monday, January 30, 2006 12:41 PM
To:
jmoreh@sigaba.com
Subject:
Re: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploaded



Jahan,
I just went through this and realized that the errata that we discussed before Christmas (regarding key inclusion/reference within saml:EncryptedData, discovered at Liberty sponsored interop in Nov) is not in this list. As I have text/proposed solution (I was the one given the to-do on this item), I wanted to submit it with reference to an errata number. however, I can't find an errata number...  

How do we proceed? Thanks


Regards

Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect

hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455




jmoreh@sigaba.com

01/30/2006 01:27 PM


To
security-services@lists.oasis-open.org
cc
Subject
[security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploaded







The document named sstc-saml-errata-2.0-draft-22.pdf has been submitted by
Jahan Moreh to the OASIS Security Services (SAML) TC document repository.

Document Description:
Draft 22 of SAML 2.0 errata document. A Word version is also available.
Changes from Draft 21: --> Added PE39-42

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=16453

Download Document:  
http://www.oasis-open.org/apps/org/workgroup/security/download.php/16453/sstc-saml-errata-2.0-draft-22.pdf


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]