[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: HTTP binding
Colleagues - In preparation for tomorrow's telecon on the HTTP binding, let me offer this thought ...
The HTTP binding may be used for message 4 in the Web browser profile. In which case it will convey the SAML artifact. As knowledge of the artifact confers on one all the identities and attributes of the genuine subject, confidentiality is critical. Section 2.1.3.5 (Message confidentiality) states that "HTTP/S may be used ... "
I feel that a statement to the effect that confidentiality of the artifact is critical would be appropriate. Now, we may put such a statement in a security considerations section, or in the browser profile section; it doesn't have to be in 2.1.3.5. But, perhaps, it is appropriate to put a reference in 2.1.3.5 to the place where the statement is made.
Best regards. Tim.
---------------------------------------------------------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC