OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: discussion re NIST 800-63 and SAML LoA


This is a note following up on our talk at IETF regarding the use of SAML 
signon at higher assurance levels in NIST 800-63.  I've cc'd the SAML TC 
and its chairs, since they may want to follow up further (I'm leaving on 
vacation shortly).  Here's what I recall we talked about:

* You said that there are some USG agencies interested in using SAML 
signon at LoA 4, so it would be good to figure out if that can be done 

* We agreed that the issue regarding use of SAML signon at LoA 4 is that 
the use of Bearer subject confirmation in the standard web browser profile 
doesn't provide a crypto-key binding between the client and the assertion. 
You mentioned that you and Bill had even done some whiteboarding looking 
for a way to get around this.  I explained the notion of Subject 
Confirmation and said that a new draft describing the use of 
"holder-of-key" subject confirmation is going through the TC now that 
should address this issue.  You can find this via the TC documents page:


Just look for


(currently draft -05).

* You said you have someone working on this issue right now, so it would 
be a good time for interested TC members to help him get the language 
right on this.  We figured that it could probably be stated in a generic 
fashion, ie avoiding reference to "holder-of-key" specifically, rather 
saying that the mechanism has to provide a crypto binding between the 
assertion and a client-wielded key, or something like that.

* Regarding the issue of the generic use of "Assertions" in 800-63 as 
opposed to mentioning SAML or other technologies specifically, you thought 
it would be reasonable for the TC to issue a document as a supplement to 
the upcoming 800-63 stating in appropriate detail how SAML can be used to 
meet 800-63 requirements for use of assertions.  But you're open to 
negotiation on this.

I think that was about it.  I'm glad we had a chance to get together on 
this, as it seems important to both the 800-63 consumers and the SAML 
community to get this right.

  - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]