Re: [security-services] Please review PE-16 text

[John Bradley <ve7jtb@ve7jtb.com>]

Hi Scott,

In some cases such as SP-800-63 LoA 3 where non-repudiation is required, signing the message is probably not enough.

I can see cases where the assertion is signed then encrypted then the message is signed.

I agree that in most cases signing the message is sufficient as long as there is no way to trick a IdP into signing a message containing a SAML assertion.

Given that it is current practice win the FICAM and other profiles to sign then encrypt POST responses we may want to be more explicit that you MUST sign the POST message, if the assertion is CBC encrypted.

Even if the encrypted assertion is already signed.

I suspect that people may read:

Either the <Response> (or the <Assertion> element(s) in the <Response>) MUST be signed

To allow just signing inside the encryption.

Regards

John B.

On 2012-01-10, at 12:37 PM, Cantor, Scott wrote:

I have a complete proposal for PE-16 in Jira:

http://tools.oasis-open.org/issues/browse/SECURITY-16

The sooner we get the XML Encryption thing addressed the better, so please
review if you're going to be on the call today so we can approve it.

Once we fix up a couple of additional Security Considerations issues, I
think we'll want to start getting the errata moving towards final approval
again becaue of the criticality of some of the security issues.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: security-services-help@lists.oasis-open.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature