[security-services] Question on section 3.1.3.2 in Bindings 12

security-services message

Subject: [security-services] Question on section 3.1.3.2 in Bindings 12

From: Robert Griffin <Robert.Griffin@entrust.com>

To: "'Mishra, Prateek'" <pmishra@netegrity.com>,"'security-services@lists.oasis-open.org'"<security-services@lists.oasis-open.org>

Date: Thu, 28 Mar 2002 14:02:31 -0500

hi Prateek,

in Section 3.1.3.2 for the SOAP protocol binding, four authentication methods are specified as requried:

293 The SAML requester and responder MUST implement the following authentication methods:

294 1. No client or server authentication.

295 2. HTTP basic client authentication [RFC2617] with and without SSL 3.0 or TLS 1.0.

296 3. HTTP over SSL 3.0 or TLS 1.0 (see Section 550) server authentication with a server-side

297 certificate.

298 4. HTTP over SSL 3.0 or TLS 1.0 client authentication with a client-side certificate.

299 If a SAML responder uses SSL 3.0 or TLS 1.0, it MUST use a server-side certificate.

Is it indeed the intent that any implementation claiming conformance for the SOAP protocol binding has to support all four of these authentication methods (rather than, for example, any one of the four)?

thanks -

bob