OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-bindings message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: FW: HTTP binding


 

-----Original Message-----
From: Mishra, Prateek 
Sent: Wednesday, July 11, 2001 5:25 PM
To: 'Tim Moses'
Cc: 'security-bindings@lists.oasis-open.org'
Subject: RE: HTTP binding


Agreed. I will make a note of it for the next draft. It is reasonable to
point to parts of a specific binding as
an instance of implementation of a mandatory provision.
 
- prateek

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Wednesday, July 11, 2001 4:24 PM
To: 'security-bindings@lists.oasis-open.org'
Subject: RE: HTTP binding



Prateek - Thanks for pointing this out.  You are perfectly correct (of
course) and I agree on all counts.  But, just so that it doesn't appear that
I am giving up too easily, I would advocate a cross-reference in 2.1.3.5
(and corresponding sections in other binding specifications) to the
statement in 3.1.2 on confidentiality for the artifact, that confidentiality
is not optional in this case, and that HTTP/S is the mandatory,
interoperable, confidentiality mechanism.  I'll understand if you feel that
the subject is already sufficiently thoroughly treated.  But, if
confidentiality is mandatory in any circumstance, then we need a mandatory
mechanism, otherwise interoperability may be jeopardized.

Best regards.  Tim. 

-----Original Message----- 
From: Mishra, Prateek [ mailto:pmishra@netegrity.com
<mailto:pmishra@netegrity.com> ] 
Sent: Wednesday, July 11, 2001 4:25 PM 
To: 'Tim Moses' 
Cc: 'security-bindings@lists.oasis-open.org' 
Subject: RE: HTTP binding 


Tim, 
  
this issue is covered in 3.1.2 of the web browser profile of the bindings 
doc (0.04) 
lines 485-491. The web browser profile does not mandate the use of the SAML 
HTTP 
binding. For example, a SOAP binding may be preferred in some situations. 
  
The profile does require that the selected 
SAML binding MUST support confidentiality. 
  
  
- prateek 

-----Original Message----- 
From: Tim Moses [ mailto:tim.moses@entrust.com
<mailto:tim.moses@entrust.com> ] 
Sent: Wednesday, July 11, 2001 3:15 PM 
To: 'Oasis security services bindings' 
Subject: HTTP binding 



Colleagues - In preparation for tomorrow's telecon on the HTTP binding, let 
me offer this thought ... 

The HTTP binding may be used for message 4 in the Web browser profile.  In 
which case it will convey the SAML artifact.  As knowledge of the artifact 
confers on one all the identities and attributes of the genuine subject, 
confidentiality is critical.  Section 2.1.3.5 (Message confidentiality) 
states that "HTTP/S may be used ... " 

I feel that a statement to the effect that confidentiality of the artifact 
is critical would be appropriate.  Now, we may put such a statement in a 
security considerations section, or in the browser profile section; it 
doesn't have to be in 2.1.3.5.  But, perhaps, it is appropriate to put a 
reference in 2.1.3.5 to the place where the statement is made. 

Best regards.  Tim. 

----------------------------------------------------------------------------

----------- 
Tim Moses 
Tel: 613.270.3183 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC