[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] New draft of SAML FAQ
Thank you for pulling this together folks... nice job. A couple
of minor comments: 1. Q: Will SAML PDPs need to be configured to understand only selected authentication decision queries? [Rob] This should be "authorization", not "authentication"
2. In the answer to "Q: What is the connection between acts of authentication and SAML authentication assertions?", "public key associated with signature on a document" should be "public key associated with **a** signature on a document".
3. The answer to "Q: How does SAML protect against "man-in-the-middle" and "replay" security attacks in general?" starts with "SAML doesn't really do anything "in general".". The initial impression is that they weren't taken into account, which isn't true. The specs provides guidance on things that deal with attack detection/avoidance such as uniqueness of identifiers, a requirement that requests by artifact must be received from the site for which the artifact was generated, etc. I think it is accurate to say something like "The SAML assertions and protocol schemas were developed with various types of security attacks in mind and include several mechanisms useful in mitigating such attacks." And then continue with the "Profiles..." sentences.
That's it for now... Now back to my vacation deck project...
Rob Philpott RSA Security Inc. The Most Trusted Name in e-Security Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 mailto:rphilpott@rsasecurity.com
> -----Original Message----- > From: Eve L. Maler [mailto:eve.maler@sun.com] > Sent: Monday, August 25, 2003 5:32 PM > To: 'security-services@lists.oasis-open.org' > Subject: [security-services] New draft of SAML FAQ > > Thanks to Jahan and Krishna for taking on this project. I've made a few > additional edits on Krishna's latest draft and want to see if anyone on > this list has any comments before we send this to the OASIS folks. The > new deadline is Sep 2, so we still have a little time. > > After the first version is published, I'll work with > Jahan/Krishna/whoever on next steps. (We could take this a *lot* > farther -- e.g., adding implementation info! -- but the hope is that > this will do for now.) > > So please speak now if you see any problems -- all comments are fair > game. Thanks, > > Eve > > -- > Eve Maler +1 781 442 3190 > Sun Microsystems cell +1 781 354 9441 > Web Products, Technologies, and Standards eve.maler @ sun.com > ********************************************************************** > SunNetwork 2003 Conference and Pavilion http://www.sun.com/sunnetwork > September 16-18, 2003 Moscone Center, San Francisco > An unparalleled event in network computing! Make the net work for you! |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]