Re: [security-services] Please review PE-16 text

["Cantor, Scott" <cantor.2@osu.edu>]

That said, I've added a brief additional sentence to each of the sections
in profiles that adds a clarification about non-repudiation (though
nothing it's outside our scope).

-- Scott

On 1/10/12 11:59 AM, "Cantor, Scott" <cantor.2@osu.edu> wrote:

>On 1/10/12 11:48 AM, "John Bradley" <ve7jtb@ve7jtb.com> wrote:
>
>>Hi Scott,
>>In some cases such as SP-800-63 LoA 3 where non-repudiation is required,
>>signing the message is probably not enough.
>
>Yes, but we're not tasked to address issues of non-repudiation that arise
>from other requirements, we just have to secure our profiles.
>
>>Given that it is current practice win the FICAM and other profiles to
>>sign then encrypt POST responses we may want to be more explicit that you
>>MUST sign the POST message, if the assertion is CBC encrypted.
>>Even if the encrypted assertion is already signed.
>
>We can't add MUSTS, this is an errata. A separate conversation is whether
>we should consider making normative changes if we publish a 2.0.1 refresh
>of the standard, but I think that's going to be problematic too.
>
>Other profiles on top of SAML are of course able to dictate new MUSTS for
>things that are SHOULD or MAY in the standard.
>
>>I suspect that people may read:
>>Either the <Response> (or the <Assertion> element(s) in the <Response>)
>>MUST be signed
>>
>>To allow just signing inside the encryption.
>
>Absent the issues with encryption, that remains the official profile
>requirement, and we can't change that in errata.
>
>But the new language is explicitly saying that there are concerns about
>doing that. I agree with you that the new language doesn't explicitly say
>that you should sign *both*, because that isn't actually a SAML profile
>requirement. I don't think it discourages signing both though.
>
>-- Scott