OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: F2F AI 14- Check existing Text on Soap Security in SOAP Binding


I looked at section 3.2 of the Bindings document:

http://www.oasis-open.org/committees/download.php/6324/sstc-saml-bindings-2.0-draft-09-diff.pdf

It looks ok to me in terms of what it says about security.

The only suggestion I have is to change the last sentence of sections 3.2.2.3, 3.2.2.4 and 3.2.2.5 from:

[Authentication | Integrity | Confidentiality] mechanisms designed specifically for SOAP message exchange MAY also be utilized.

to something like:

When [Authentication | Integrity | Confidentiality] at the SOAP messsage exchange layer is required, the use of the mechanisms specified by [reference to OASIS WSS Std] is RECOMMENDED.

----

In a side note, somebody should take a look at the description of SOAP in section 3.2. I don't believe many people would now agree with the characterization of SOAP as "RPC-like". The SAML protocol(s) may be RPC-like, but SOAP supports many alternative MEPs.

Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]