OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Action Items 236 and 231

Title: RE: [security-services] Action Items 236 and 231

Scott, see below

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Tuesday, October 11, 2005 9:27 AM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Action Items 236 and 231
>
>
> > *0236*: Errata on SSO Response when using HTTP-Artifact
> >
> > http://lists.oasis-open.org/archives/saml-dev/200509/msg00019.html
>
> Minor issue, but I suggest we insert a clarifying paragraph
> after line 1173
> of Bindings:
>
> "Finally, note that the use of the Destination attribute in
> the root SAML
> element of the protocol message is unspecified by this
> binding, because of
> the message indirection involved."

Wouldn't this apply to the SubjectConfirmation's Recipient attribute as well?

>
> > *#0231*: SOAP client cert authn and reln to SAML messages
>
> My memory of this "issue" isn't great, but I suppose we could
> add clarifying
> text to section 3.1.2.2 of Bindings by adding a sentence to the first
> paragraph:
>
> "Note that when SSL/TLS authentication is used, an X.509 certificate
> presented by a peer is typically used to authenticate
> messages produced by
> that peer, but the means by which the relationship is
> established between
> the identity in the certificate and the identity of the peer
> is not defined
> by SAML."

Since it's the identity of the peer as determined by the contents of the actual SAML message, how about changing your proposed text from

"between the identity in the certificate and the identity of the peer is not defined."

to

"between the identity in the certificate and the identity of the peer defined by the SAML message content, i.e., SAML message issuer, is not defined."

>
> Another way to go (arguably better perhaps) is to push all this to the
> phantom impl guidelines doc where we can hand wave about PKI
> and trust to
> our heart's content.
>
> -- Scott
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]