OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-bindings message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Minutes of Bindings Con-Call, July 12

Attendees:
-------------
Carlisle Adams
Evan Prodromou
Simon Godzik
Prateek Mishra
 
Agenda: HTTP Binding (Section 2.1 from bindings 0.4)
--------------------------------------------------------------------
(1)  Digital Signing: 
Section 2.1.3.4.1 describes specifics of the
use of XML-DSIG for signing request/response messages
(e.g., enveloped, enveloping etc.). 
The general suggestion was that instead we should call out a SAML
profile for DSIG separately and refer to it here. Evan P. has
volunteered to drive this effort forward.
 
Detached Signatures: should the SAML profile support
detached signing? The group couldnt find any good examples
in SAML where support for detached signatures is needed.
 
(2) Comments on 2.1.3.4: Authentication and Message Integrity
 
Text needs to be tightened up and also state:
 
(a) Request/Response messages that pass thru intermediaries
MUST be digitally signed.
 
(b) If a requester and responder communicate with each other
without the use of intermediaries, then mutual authentication
using client-certificates over HTTPS may be used.
 
(3) Comments on 2.1.3.5: Confidentiality
 
Two issues here: (a) consensus that a server-side certificate MUST be
required
with SSL and that the text needs to be changed to reflect this. SSL supports
a model
in which neither end requires a certificate (``Diffie-Hellman Key
Exchange'') but this
isnt widely deployed.
 
(b) open issue raised by Simon, whether the binding should also encompass
use of other techniques for confidentiality, such as those based on a secret

key. There seemed to be some resistance to this from the group. I will
carry this forward as an open issue [ISSUE:Bindings-HTTP-01].
 
(4) 2.1.3.6.2     400 Bad Request
 
Text should be changed to reflect that only HTTP level errors (headers,
unknown
URL) generate a 400 Bad Request.
All SAML level errors will be included within a SAML response and not
exposed
at the HTTP level.
 
(5) Boxcarring
 
How to bundle multiple SAML requests within a single HTTP request? The 0.4
HTTP binding does not have discussion of this topic.
 
There were two opinions in this space: (a) SAML requires a general
boxcarring
solution, which should be called out by the core assertions&protocols group.
(b) a solution specific to a particular binding is acceptable and may also
be
simpler to implement.
 
I will carry this forward as [ISSUE:Bindings-HTTP-02] and report on this to
the TC.
 
(6) Cache control Headers
 
There was some discussion of this topic, but on reviewing my notes I found
it somewhat unclear. Simon has sent a message on the topic [Simon] but it
appears to be related to 3 (b) above.
 
Does the discussion imply that we should always REQUIRE the HTTP 1.1 header:
 
Cache-Control: no-cache
 
OR
 
Pragma: no-cache 
 
(HTTP 1.0)
 
and include this header in the list of required headers (2.1.3.2)?
[ISSUE:Bindings-HTTP-03]
 
 
 
 
 
 
[Simon]
http://lists.oasis-open.org/archives/security-bindings/200107/msg00007.html
<http://lists.oasis-open.org/archives/security-bindings/200107/msg00007.html
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC