OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-bindings message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Minutes from Bindings Con-call, July 26

Attendees:
-------------------
Krishna Sankar
Simon Godik
Tim Moses
Prateek Mishra
 
 
Agenda Bashing:
 
Krishna: Plan to submit a binding and/or profile for BEEP. Is there
interest in this space?
 
Prateek: Definitely of interest, all of this is driven by the interest of
SAML participants.
 
Krishna: BEEP includes a SOAP-over-BEEP binding, presumably SAML SOAP
binding
will work with this.
 
Simon: This should be a requirement of the SAML SOAP binding, that it is
generic
and can work with many different substrate protocols.
 
Krishna: There is still an issue of providing a "native" SAML binding for
BEEP. 
 
Simon: Is there interest in a CORBA profile?
 
Prateek: I havent looked at CSIv2 but if people are interested they
should push forward and submit profile.
 
Issues with the SOAP binding:
 
(1) support for box-carring (has also been discussed in context of the 
HTTP binding); this needs to be presented to the general TC.
 
(2) Fault Codes discussion needs to be made more explicit. Distinction
between
SAML-level errors and SOAP-level errors needs to be called out.
 
(3) [Tim Moses] Authentication and Integrity should be resolvable at the
substrate
protocol level or at the SOAP level. For HTTP we can point to HTTP/S with
client
and server certificates as a mandatory to implement technique. At the SOAP
level
we would specify digital signing as one technique.
 
(4) Discussion of digital signing: again, we need input from the TC
concerning
acceptable signing formats. The SOAP case is complicated by the fact
that the entire SOAP message could be signed AND the enclosed
SAML message signed separately. Each provides authentication at a different
level but there is also a need to clarify how and when a "super-signature"
can
also be seen as providing a signature for the elements within a SOAP
message.
 
 
(5) Confidentiality:
 
Can be resolved at the substrate protocol level (again HTTPS with 
server-side certificates provides a mandatory to implement technique).
Unfortunately, at the SOAP level itself there is no standard message
oriented technique for confidentiality. This will only be possible
when XML-ENCRYPTION standard becomes available. So for the
near future, we have to depend on point-to-point confidentiality only.
 
 
- prateek

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC