[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] RE: Question on section 3.1.3.2 in Bindings 12
-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Thursday, March 28, 2002 2:12 PM
To: 'Robert Griffin'
Subject: RE: Question on section 3.1.3.2 in Bindings 12All four authentication methods must be supported by an implementationclaiming conformance with the SAML SOAP binding. The idea here is that[Robert Griffin] thankswe guaranteeing support for a reasonable class of security models. Hence,there is a strong likelihood of inter-operability between distinct vendors(without need for side-agreements concerning authentication).- prateek-----Original Message-----
From: Robert Griffin [mailto:Robert.Griffin@entrust.com]
Sent: Thursday, March 28, 2002 2:03 PM
To: 'Mishra, Prateek'; 'security-services@lists.oasis-open.org'
Subject: Question on section 3.1.3.2 in Bindings 12hi Prateek,in Section 3.1.3.2 for the SOAP protocol binding, four authentication methods are specified as requried:293 The SAML requester and responder MUST implement the following authentication methods:
294 1. No client or server authentication.
295 2. HTTP basic client authentication [RFC2617] with and without SSL 3.0 or TLS 1.0.
296 3. HTTP over SSL 3.0 or TLS 1.0 (see Section 550) server authentication with a server-side
297 certificate.
298 4. HTTP over SSL 3.0 or TLS 1.0 client authentication with a client-side certificate.
299 If a SAML responder uses SSL 3.0 or TLS 1.0, it MUST use a server-side certificate.
Is it indeed the intent that any implementation claiming conformance for the SOAP protocol binding has to support all four of these authentication methods (rather than, for example, any one of the four)?
thanks -
bob
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC