OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [Action - Gil]: To make a proposal on the mandatory use of HTTPS


All,
 
I am struggling with this action item. The issue originates
from the mandatory use of HTTP(S) in 4.1.4.1 (SAML Artifact)
and 4.1.4.3 (Form POST) between the browser equipped
user and source and destination sites respectively. 
The essential issue therein is
confidentiality of the SAML artifact (4.1.4.1) or SAML assertions
(4.1.4.3).
If we do not use HTTPS, the HTTP traffic between the user and
source or destination can be copied and used
for impersonation.
 
There was concern at this requirement at the F2F#4 and as Gil
is away the action item has fallen to me. But I am genuinely puzzled
as to how we can move away from this requirement.
 
(1) Should the text merely state that confidentiality is a requirement
(MUST) (could be met in some unspecified way?) and that HTTPS
MAY be used? I am opposed to this formulation as it is not specific
enough to support inter-operability. How can a pair of sites
collaborate to support the web browser profile if each uses some
arbitrary method for confidentiality?
 
(2) Another approach would be to require confidentiality (MUST) 
and specify HTTPS as a mandatory-to-implement feature.
Those sites that prefer to use some other method for confidentiality
can do so, but all sites must also support HTTPS. This ensures
inter-operability as we can always fall back on HTTPS.
 
Comments are invited.  
 
- prateek
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC