OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fwd: SAML Conformance SSL/TLS requirements

Note: forwarded message attached.
--- Begin Message ---
[In spite of various appeals, OASIS membership, and Applicant status, I am
still unable to post to the SSTC list.  Therefore I am sending to you]

I have a question about sections 5.1 and 5.2 of the SAML 2 conformance doc.

These sections place requirements on "TLS-capable implementations", "FIPS
TLS-capable implementations", etc., regarding required cipher suites.

What do "TLS-capable", "FIPS TLS-capable" mean?  I know what TLS and FIPS
are, but who determines that an implementation is one or the other or both?
Isn't the choice of cipher suite more of a deployment issue, and not
something that SAML should define normatively?

Whether a SAML implementation supports a particular cipher suite would seem
to depend on the HTTP/SOAP webserver or appserver, not on the SAML code
itself.  I think this places some unsupportable requirements on SAML library
implementors who may not control how their otherwise-conformant
implementations are deployed.

Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile

--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]