FW: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]

["Otto, Ian" <Ian.Otto@innovation.gov.au>]

Title: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]

Hi All,

            Received the following from one of my colleagues in the Australian Government. I am assuming that dual signing is neither desirable nor intended. Is this something we can discuss and clarify?

 

Regards, Ian.

Ian Otto
Security Architect
VANguard and Infrastructure Branch
eBusiness Division
__________________________________________

Department of Industry, Innovation,
Science, Research and Tertiary Education

SAP House, Level 8.49, Bunda Street, Canberra City ACT 2600
GPO Box 9839, Canberra ACT 2601
Ph: +61-2-6276 1660 Fax: +61-2-6213 6684
Mobile: +61 403 458 215
Email:  Ian.Otto@innovation.gov.au
Internet: http://www.innovation.gov.au
ABN 74 599 608 295

 

 

 

     

 

From: Jones, Dean (Security Architect) [mailto:Dean.Jones@ato.gov.au]
Sent: Wednesday, 29 May 2013 5:45 PM
To: Young, Malcolm; Otto, Ian
Subject: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]

 

Hi Malcolm, Ian,

There are currently some discussions going on here about the EBMS standard. I was pulled in to give my opinion about the following extract from the standard and how it affects us using SAML with EBMS.

Without looking deeply into the context my answer was that SAML could not be used as the sole mechanism for message integrity. If SAML signing were used (and we didn't want to break the standard) then we would have a dual signed EBMS message.

Do you have a different view?

Thanks.

2328 7.2. Signing Messages
2329 Signing of ebMS Messages is defined in Web Services Security [WSS10] and [WSS11]. Support for 2330 WSS X.509 Certificate Token Profile is REQUIRED to sign a message.

 

<<ebms_core-3.0-spec.zip>>

 

Dean Jones
Security Architect

Middleware and Common Services /
Integrated Common Services
Ph: 621 64369
Mobile: 0407 452 388

 

**********************************************************************
IMPORTANT
    The information transmitted is for the use of the intended
recipient only and may contain confidential and/or legally
privileged material. Any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other
than the intended recipient is prohibited and may result in
severe penalties. If you have received this e-mail in error
please notify the Privacy Hotline of the Australian Taxation
Office, telephone 13 2869 and delete all copies of this
transmission together with any attachments.
**********************************************************************

*************************************************************************
The information contained in this e-mail, and any attachments to it,
is intended for the use of the addressee and is confidential.  If you
are not the intended recipient you must not use, disclose, read,
forward, copy or retain any of the information.  If you received this
e-mail in error, please delete it and notify the sender by return
e-mail or telephone.

The Commonwealth does not warrant that any attachments are free
from viruses or any other defects.  You assume all liability for any
loss, damage or other consequences which may arise from opening
or using the attachments.

The security of emails transmitted in an unencrypted environment
cannot be guaranteed. By forwarding or replying to this email, you
acknowledge and accept these risks.
*************************************************************************