OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Possible 1.1 (and 1.0) errata


Scott -
This is the text in 1.1 core that references uniqueness (I am using draft
10, lines 360-362):

The mechanism by which a SAML system entity ensures that the identifier is
unique is left to the implementation. In the case that a pseudorandom
technique is employed, the probability of two randomly chosen identifiers
being identical MUST be less than 2^-128 and SHOULD be less than 2^-160.
This requirement MAY be met by encoding a randomly chosen value between 128
and 160 bits in length.

I actually think this text is correct! The key words here are: "randomly
chosen". I believe the case you identify below is the probability of
collision when one value is already chosen (i.e., a birthday attack). In
that case, indeed the probability is approximately 2^-n/2, where "n" is the
number of bits.

So, if this is not the text you are referencing, or, if I am mistaken in my
analysis, please let me know so that I can update the errata accordingly.

Thanks,
Jahan


----------------
Jahan Moreh
Chief Security Architect
310.286.3070

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Thursday, July 31, 2003 10:21 AM
> To: SAML
> Subject: [security-services] Possible 1.1 (and 1.0) errata
>
>
> It's been pointed out during review of the latest Liberty
> documents that the
> part in SAML about identifier uniqueness is overstated based on
> the intent.
> If the point is to use a SHA1 hash, then the actual collision
> probability in
> the spec language should be <= 2^-80 instead of < 2^-160
>
> Liberty had the same language and it was copied from SAML, so I
> figured I'd
> mention it.
>
> -- Scott
>
>
> You may leave a Technical Committee at any time by visiting
> http://www.oasis-open.org/apps/org/workgroup/security-services/mem
bers/leave_workgroup.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]