[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Please review PE-16 text
That said, I've added a brief additional sentence to each of the sections in profiles that adds a clarification about non-repudiation (though nothing it's outside our scope). -- Scott On 1/10/12 11:59 AM, "Cantor, Scott" <cantor.2@osu.edu> wrote: >On 1/10/12 11:48 AM, "John Bradley" <ve7jtb@ve7jtb.com> wrote: > >>Hi Scott, >>In some cases such as SP-800-63 LoA 3 where non-repudiation is required, >>signing the message is probably not enough. > >Yes, but we're not tasked to address issues of non-repudiation that arise >from other requirements, we just have to secure our profiles. > >>Given that it is current practice win the FICAM and other profiles to >>sign then encrypt POST responses we may want to be more explicit that you >>MUST sign the POST message, if the assertion is CBC encrypted. >>Even if the encrypted assertion is already signed. > >We can't add MUSTS, this is an errata. A separate conversation is whether >we should consider making normative changes if we publish a 2.0.1 refresh >of the standard, but I think that's going to be problematic too. > >Other profiles on top of SAML are of course able to dictate new MUSTS for >things that are SHOULD or MAY in the standard. > >>I suspect that people may read: >>Either the <Response> (or the <Assertion> element(s) in the <Response>) >>MUST be signed >> >>To allow just signing inside the encryption. > >Absent the issues with encryption, that remains the official profile >requirement, and we can't change that in errata. > >But the new language is explicitly saying that there are concerns about >doing that. I agree with you that the new language doesn't explicitly say >that you should sign *both*, because that isn't actually a SAML profile >requirement. I don't think it discourages signing both though. > >-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]