[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: ISSUE:[UC-12-01:Encryption] (was RE: Comments on Straw Man 2 : Protection of message contents)
>Each binding must include a description of how the privacy and >integrity of SAML messages can be protected within that binding. >Examples: S/MIME for MIME, HTTP/S for HTTP. I agree with above suggestion; some discussion of this binding approach is included in the S2ML v. 0.8 spec, particularly for securing SAML assertions S/MIME based message payloads in Section 6.3 of S2ML v. 0.8. The Binding group, IMO, will need to specify general requirements of protecting SAML assertions included in a message (message integrity protection and message privacy both are needed) across a range of messaging and application protocols. Suggestion#1 of employing XML encryption, in support of SAML information being accessible to an authorized party, will not be sufficient in itself although could be applicable in conjunction with a secure transport or S/MIME messaging. Furthermore, XML encryption is a standard-in-progress. ----Zahid -----Original Message----- From: Irving Reid [mailto:Irving.Reid@baltimore.com] Sent: Monday, February 26, 2001 8:10 PM To: security-use@lists.oasis-open.org Subject: ISSUE:[UC-12-01:Encryption] (was RE: Comments on Straw Man 2: Pr otection of message contents) This clearly can't be ready for ballot before the F2F, but I thought I'd respond to Darren's suggestion. What follows is my modified suggestion for issue ballot text: ISSUE:[UC-12-01:Encryption] UC-9-02:PrivacyStatement addresses the importance of sharing data only as needed between security zones (from asserting party to relying party). However, it is also important that data not be available to third parties, such as snoopers or untrusted intermediaries. One possible solution for implementors is to use secure channels between relying party and asserting party. Another is to use encryption, either with a shared secret or with public keys. Possible Resolutions: 1) Include an allowance for explicit use of encryption, such as XML Encryption (http://www.w3.org/Encryption/2001/), within SAML messages. SAML messages could then be transferred securely on any protocol. 2) Specify security properties in the Bindings documents. Each binding must include a description of how the privacy and integrity of SAML messages can be protected within that binding. Examples: S/MIME for MIME, HTTP/S for HTTP. ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: security-use-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC