security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: Fw: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdfuploaded
- From: Heather Hinton <hhinton@us.ibm.com>
- To: Heather Hinton <hhinton@us.ibm.com>
- Date: Wed, 1 Feb 2006 12:01:36 -0600
Seeings as I can't find Scott's email
as a stand-alone, here is the info below, put into a word document (for
editing).
Also, just FYI, I did include an example
at the end with multiple keys within the Encrypted Data - this should cover
the "broadcast" scenario that was discussed on this morning's
call. I checked with our local WS-I/BSP folks and they believe that this
is compatible with BSP guidelines, even though it is within the scope of
SAML.
[attachment "SAML-KeyReference-Erratav2.doc"
deleted by Heather Hinton/Austin/IBM]
Thanks
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
Heather Hinton/Austin/IBM@IBMUS
01/31/2006 11:46 AM
|
To
| security-services@lists.oasis-open.org
|
cc
|
|
Subject
| Fw: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf
uploaded |
|
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
----- Forwarded by Heather Hinton/Austin/IBM on 01/31/2006 11:44 AM -----
Heather Hinton/Austin/IBM
01/30/2006 04:44 PM
|
To
| <jmoreh@sigaba.com>
|
cc
|
|
Subject
| RE: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf
uploadedLink |
|
There was an email chain, but our excessively aggressive mail archiving
policies mean that I no longer have it (as it is more than 30 days old).
However, the issue was simply around key location within saml:EncryptedData.
In particular, we believe that the XML Encryption specification was not
properly followed for the referencing of keys for encrypted data. While
the approach used by other vendors certainly worked, it required that you
have advanced knowledge of how to locate the keys used to encrypt data,
and it was also limited to situations where you may have needed more than
one key within a message.
To clarify the situation, we propose the following errata:
Errata/Clarification to <sstc-saml-core-2.0-cd-04.pdf>, where added
text is defined like
this
<sstc-saml-core-2.0-cd-04.pdf>
6.1 General Considerations
Encryption of the <Assertion>, <BaseID>, <NameID> and
<Attribute> elements is provided by use
of XML Encryption [XMLEnc]. Encrypted data and optionally one or more encrypted
keys MUST replace
the cleartext information in the same location within the XML instance.
The <EncryptedData> element's
Type attribute SHOULD be used and, if it is present, MUST have the value
http://www.w3.org/2001/04/xmlenc#Element.
If an encrypted key is NOT included in the transmitted XML, then the application
must be able to locally determine the key, per XML Encryption.
If the encrypted key is included with the transmitted XML, then it SHOULD
be referenced within the EncryptedData or embedded within the EncryptedData.
When referenced within the EncryptedData, the KeyInfo MUST include
the defined RetrievalMethod.
Example: The parent element (saml:EncryptedID) contains the EncryptedData
and the (referenced) EncryptedKey as siblings (note that the key can in
fact be anywhere in the same document) :
<saml:EncryptedID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="a21613ec-0106-e058-840b-e4c694f070ed"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<RetrievalMethod
URI="#a21613ec-0106-e058-840b-e4c694f070ed"
xmlns="http://www.w3.org/2000/09/xmldsig"
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nk4W4mx...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
Id="a21613ed-0106-e16b-2d8f-e4c694f070ed"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
</xenc:EncryptionMethod>.
<xenc:CipherData>
<xenc:CipherValue>
PzA5X...
</xenc:CipherValue></xenc:CipherData>
</xenc:EncryptedKey>
</saml:EncryptedID>
Example: EncryptedKey is contained and referenced within the EncryptedData:
<saml:EncryptedID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
Id="a21613ec-0106-e058-840b-e4c694f070ed"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
</xenc:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="a21613ed-0106-e16b-2d8f-e4c694f070ed">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
<CipherData><CipherValue>SDFSDF....OFQBg=</CipherValue></CipherData>
</EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nk4W4mx...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
In some cases, legacy implementations of SAML may implicitly identify the
KeyInfo, simply through inclusion of EncryptedKey, together with EncryptedData,
within the SAML EncryptedID. Note that this approach MUST NOT be used when
there is to be more than one instance of EncryptedID in the transmitted
XML or more than one EncryptedKey is included in the transmitted XML.
Any of the algorithms defined for use with XML Encryption MAY be used to
perform the encryption. The
SAML schema is defined so that the inclusion of the encrypted data yields
a valid instance.
</sstc-saml-core-2.0-cd-04.pdf)
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
"Jahan Moreh"
<jmoreh@sigaba.com>
01/30/2006 02:51 PM
|
To
| Heather Hinton/Austin/IBM@IBMUS
|
cc
|
|
Subject
| RE: [security-services] Groups
- sstc-saml-errata-2.0-draft-22.pdf uploaded |
|
Heather -
Was there an email regarding this erratum at all? If so, please send me
the email link. If not, kindly write a simple description of the erratum
and the proposed text to resolve the issue and I will add it to the errata
doc.
Thanks,
Jahan
From: Heather Hinton [mailto:hhinton@us.ibm.com]
Sent: Monday, January 30, 2006 12:41 PM
To: jmoreh@sigaba.com
Subject: Re: [security-services] Groups - sstc-saml-errata-2.0-draft-22.pdf
uploaded
Jahan,
I just went through this and realized that the errata that we discussed
before Christmas (regarding key inclusion/reference within saml:EncryptedData,
discovered at Liberty sponsored interop in Nov) is not in this list. As
I have text/proposed solution (I was the one given the to-do on this item),
I wanted to submit it with reference to an errata number. however, I can't
find an errata number...
How do we proceed? Thanks
Regards
Heather Hinton, PhD, PEng
Senior Security Architect, TFIM Product Architect
hhinton@us.ibm.com
tel: + 1 512 838 0455
T/L 678-0455
jmoreh@sigaba.com
01/30/2006 01:27 PM
|
To
| security-services@lists.oasis-open.org
|
cc
|
|
Subject
| [security-services] Groups
- sstc-saml-errata-2.0-draft-22.pdf uploaded |
|
The document named sstc-saml-errata-2.0-draft-22.pdf has been submitted
by
Jahan Moreh to the OASIS Security Services (SAML) TC document repository.
Document Description:
Draft 22 of SAML 2.0 errata document. A Word version is also available.
Changes from Draft 21: --> Added PE39-42
View Document Details:
http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=16453
Download Document:
http://www.oasis-open.org/apps/org/workgroup/security/download.php/16453/sstc-saml-errata-2.0-draft-22.pdf
PLEASE NOTE: If the above links do not work for you, your email application
may be breaking the link into two pieces. You may be able to copy
and paste
the entire link address into the address field of your web browser.
-OASIS Open Administration
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]