OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Minutes minutes SSTC/SAML concall Tue21-Oct-2008


> > In other words, I'm told that it's left open in 
> XMLSignature for a reason,
> > and it's not clear to me why we have any better reason to 
> constrain it than
> > we would for the XML encoding.

Scott: What's the reason that you're told it's left open in XML-DSIG?

> 
> The reason for specifying the encoding is quite clear to me at least.
> If the SAML issuer is allowed to bind an arbitrarily encoded X.509
> certificate to a HoK assertion, the relying party has no way of
> determining what encoding was used, and therefore the relying party is
> unable to confirm the subject.

If a particular community/federation uses a certificate encoding other than DER, what option do they have open to them if DER is REQUIRED? I suppose they could create a new profile, but it seems odd to do that just to specify a different certificate encoding.

In general, though, this is a potential interop problem that we should try to solve, IMO. I guess we don't want to do something like extending the ds:X509Certificate element to add an Encoding attribute?

> 
> > Alternatively, I guess I'd be in favor of making this a RECOMMENDED
> > encoding, but doing that in SAML core itself, rather than 
> requiring every
> > profile that touches this element to repeat it.
> 
> Right, which is the same language I used in the HoK Assertion Profile
> with respect to DNs, but not because I wanted to.  I would much rather
> specify a DN MUST conform to RFC2253 (or RFC4515).  There's too much
> variability in DN string formats to leave this open.

I guess RECOMMENDED is the way to go.

::Ari

-- 
Oracle <http://www.oracle.com> 
Ari Kermaier | Senior Software Development Manager | Phone: +1 212 303 7568 
Oracle Oracle Identity Management Product Development
540 Madison Avenue, 4th Floor | New York, NY 10022 

Green Oracle <http://www.oracle.com/commitment> 	 Oracle is committed to developing practices and products that help protect the environment	


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]