OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Public Comment


Comment from: sampo@symlabs.com

Name:
Title:
Organization:
Regarding Specification:

[13:54:41] sampo.kellomaki My "issue" with deflate is two fold: 1. the SAML2 spec is easy to misread in this regard. 2. I am not completely sure about the wisdom of using raw deflate without supplying integrity mechanism like checksum. zlib authors clearly state that raw deflate is intended for cases where such protections are provided by some mechanism other than zlib header or gzip header, but advise against using raw deflate if no such mechanisms are available.
[13:55:24]  SAML2 does not specify any such mechanism.
[13:56:31] Eric Tiffany so this is a spec issue, primarily. I think the reference to RFC1951 is pretty clearly stated, but perhaps there's some other aspect that wasn't clear? I can forward these issues to SSTC.
[13:57:52] sampo.kellomaki Yes 1951 is clearly stated, but a foot note calling out that "i.e. no zlib header is used" would avoid the common confusion.
[13:58:04] Eric Tiffany But so can you. They have a feedback form which I have used successfully to get stuff changed: http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=security
[13:58:29] sampo.kellomaki My second comment says that rfc1950 probably should have been specified in the first place.
[13:59:43] Eric Tiffany perhaps. So do you want to submit this suggestion(s)? I think you would be better able to respond if there were any followup questions 

--Sampo


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]