security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Fw: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf uploaded
- From: Heather Hinton <hhinton@us.ibm.com>
- To: security-services@lists.oasis-open.org
- Date: Tue, 31 Jan 2006 11:46:18 -0600
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
----- Forwarded by Heather
Hinton/Austin/IBM on 01/31/2006 11:44 AM -----
Heather Hinton/Austin/IBM
01/30/2006 04:44 PM
|
To
| <jmoreh@sigaba.com>
|
cc
|
|
Subject
| RE: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf
uploadedLink |
|
There was an email chain, but our excessively
aggressive mail archiving policies mean that I no longer have it (as it
is more than 30 days old). However, the issue was simply around key location
within saml:EncryptedData. In particular, we believe that the XML Encryption
specification was not properly followed for the referencing of keys for
encrypted data. While the approach used by other vendors certainly worked,
it required that you have advanced knowledge of how to locate the keys
used to encrypt data, and it was also limited to situations where you may
have needed more than one key within a message.
To clarify the situation, we propose
the following errata:
Errata/Clarification to <sstc-saml-core-2.0-cd-04.pdf>,
where added text is defined like
this
<sstc-saml-core-2.0-cd-04.pdf>
6.1 General Considerations
Encryption of the <Assertion>,
<BaseID>, <NameID> and <Attribute> elements is provided
by use
of XML Encryption [XMLEnc]. Encrypted
data and optionally one or more encrypted keys MUST replace
the cleartext information in the same
location within the XML instance. The <EncryptedData> element's
Type attribute SHOULD be used and, if
it is present, MUST have the value
http://www.w3.org/2001/04/xmlenc#Element.
If an encrypted key is
NOT included in the transmitted XML, then the application must be able
to locally determine the key, per XML Encryption.
If the encrypted
key is included with the transmitted XML, then it SHOULD be referenced
within the EncryptedData or embedded within the EncryptedData. When referenced
within the EncryptedData, the KeyInfo MUST include the defined RetrievalMethod.
Example: The parent element
(saml:EncryptedID) contains the EncryptedData and the (referenced) EncryptedKey
as siblings (note that the key can in fact be anywhere in the same document)
:
<saml:EncryptedID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="a21613ec-0106-e058-840b-e4c694f070ed"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<RetrievalMethod
URI="#a21613ec-0106-e058-840b-e4c694f070ed"
xmlns="http://www.w3.org/2000/09/xmldsig"
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nk4W4mx...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
Id="a21613ed-0106-e16b-2d8f-e4c694f070ed"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
</xenc:EncryptionMethod>.
<xenc:CipherData>
<xenc:CipherValue>
PzA5X...
</xenc:CipherValue></xenc:CipherData>
</xenc:EncryptedKey>
</saml:EncryptedID>
Example: EncryptedKey
is contained and referenced within the EncryptedData:
<saml:EncryptedID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
Id="a21613ec-0106-e058-840b-e4c694f070ed"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
</xenc:EncryptionMethod>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey
xmlns="http://www.w3.org/2001/04/xmlenc#" Id="a21613ed-0106-e16b-2d8f-e4c694f070ed">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
<CipherData><CipherValue>SDFSDF....OFQBg=</CipherValue></CipherData>
</EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nk4W4mx...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
In some cases, legacy
implementations of SAML may implicitly identify the KeyInfo, simply through
inclusion of EncryptedKey, together with EncryptedData, within the SAML
EncryptedID. Note that this approach MUST NOT be used when there is to
be more than one instance of EncryptedID in the transmitted XML or
more than one EncryptedKey is included in the transmitted XML.
Any of the algorithms defined for use
with XML Encryption MAY be used to perform the encryption. The
SAML schema is defined so that the inclusion
of the encrypted data yields a valid instance.
</sstc-saml-core-2.0-cd-04.pdf)
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
"Jahan Moreh"
<jmoreh@sigaba.com>
01/30/2006 02:51 PM
|
To
| Heather Hinton/Austin/IBM@IBMUS
|
cc
|
|
Subject
| RE: [security-services] Groups
- sstc-saml-errata-2.0-draft-22.pdf uploaded |
|
Heather -
Was there an email regarding this
erratum at all? If so, please send me the email link. If not, kindly write
a simple description of the erratum and the proposed text to resolve the
issue and I will add it to the errata doc.
Thanks,
Jahan
From: Heather Hinton [mailto:hhinton@us.ibm.com]
Sent: Monday, January 30, 2006 12:41 PM
To: jmoreh@sigaba.com
Subject: Re: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf
uploaded
Jahan,
I just went through this and realized that the errata that we discussed
before Christmas (regarding key inclusion/reference within saml:EncryptedData,
discovered at Liberty sponsored interop in Nov) is not in this list. As
I have text/proposed solution (I was the one given the to-do on this item),
I wanted to submit it with reference to an errata number. however, I can't
find an errata number...
How do we proceed? Thanks
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
jmoreh@sigaba.com
01/30/2006 01:27 PM
|
To
| security-services@lists.oasis-open.org
|
cc
|
|
Subject
| [security-services] Groups
- sstc-saml-errata-2.0-draft-22.pdf uploaded |
|
The document named sstc-saml-errata-2.0-draft-22.pdf has been submitted
by
Jahan Moreh to the OASIS Security Services (SAML) TC document repository.
Document Description:
Draft 22 of SAML 2.0 errata document. A Word version is also available.
Changes from Draft 21: --> Added PE39-42
View Document Details:
http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=16453
Download Document:
http://www.oasis-open.org/apps/org/workgroup/security/download.php/16453/sstc-saml-errata-2.0-draft-22.pdf
PLEASE NOTE: If the above links do not work for you, your email application
may be breaking the link into two pieces. You may be able to copy
and paste
the entire link address into the address field of your web browser.
-OASIS Open Administration
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]