OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Encryption Usecases and Requirements

> I left out encrypting requests and responses deliberately. What is the
> reason for encrypting them? In general their contents will mostly be known
> or contain non-sensitive information. I don't object to making this a
> requirement if there is a valid reason, but it will be more trouble so I
> don't want to do it without a justifying use case.

I'd note that to my mind, the "sort of protocol" defined in SAML doesn't
allow for intermediaries. That's not to say bindings can't (the SOAP binding
certainly does) but they aren't SAML aware.

> Like you I am not an XML guy, but as I understand it, making the encrypted
> data schema-valid will require tweaking the entire schema to add optional
> alternative elements everywhere. I want everybody to understand the
> implications of and reasons for this requirement. It would certainly be
> easier to drop it. Both Scott and Eve pressed for it at the F2F. Perhaps
> they can speak to this point on the call today.

I pressed for not dismissing it as a requirement universally (because of my
use case that does), but never claimed it was a universal requirement.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]