OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - sstc-saml-bindings-2.0-draft-10.pdfuploaded

> Per lines 692-694, a recommendation for not less than 8 pseudorandom
> bytes within a 20-byte MessageHandle seems somewhat short relative 
> to contemporary crypto practice, also noting the Security Considerations 
> statement at line 772 that the binding relies on the property of the
> artifact being a hard-to-forge short-term reference.  Since the
> MessageHandle is effectively a form of shared secret, I'd suggest
> recommending pseudorandomness to the 112-bit or 128-bit level, rather
> than 64-bit.  Would this create a problem for anyone?

Text of course was copied from the old artifact text in both SAML 1.1 and
ID-FF, but I thought it seemed a bit too short myself...

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]