[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: SAML Conformance SSL/TLS requirements
--- Begin Message ---
- From: Eric Tiffany <eric.tiffany@ieee-isto.org>
- To: "Eve L. Maler" <Eve.Maler@Sun.COM>, prateek mishra <pmishra@principalidentity.com>
- Date: Tue, 19 Jul 2005 08:44:16 -0500
[In spite of various appeals, OASIS membership, and Applicant status, I am still unable to post to the SSTC list. Therefore I am sending to you] I have a question about sections 5.1 and 5.2 of the SAML 2 conformance doc. These sections place requirements on "TLS-capable implementations", "FIPS TLS-capable implementations", etc., regarding required cipher suites. What do "TLS-capable", "FIPS TLS-capable" mean? I know what TLS and FIPS are, but who determines that an implementation is one or the other or both? Isn't the choice of cipher suite more of a deployment issue, and not something that SAML should define normatively? Whether a SAML implementation supports a particular cipher suite would seem to depend on the HTTP/SOAP webserver or appserver, not on the SAML code itself. I think this places some unsupportable requirements on SAML library implementors who may not control how their otherwise-conformant implementations are deployed. ET -- ____________________________________________________ Eric Tiffany | eric@projectliberty.org Interop Tech Lead | +1 413-458-3743 Liberty Alliance | +1 413-627-1778 mobile--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]