Subject: discussion re NIST 800-63 and SAML LoA
Tim: This is a note following up on our talk at IETF regarding the use of SAML signon at higher assurance levels in NIST 800-63. I've cc'd the SAML TC and its chairs, since they may want to follow up further (I'm leaving on vacation shortly). Here's what I recall we talked about: * You said that there are some USG agencies interested in using SAML signon at LoA 4, so it would be good to figure out if that can be done somehow. * We agreed that the issue regarding use of SAML signon at LoA 4 is that the use of Bearer subject confirmation in the standard web browser profile doesn't provide a crypto-key binding between the client and the assertion. You mentioned that you and Bill had even done some whiteboarding looking for a way to get around this. I explained the notion of Subject Confirmation and said that a new draft describing the use of "holder-of-key" subject confirmation is going through the TC now that should address this issue. You can find this via the TC documents page: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security Just look for sstc-saml-holder-of-key-browser-sso-draft (currently draft -05). * You said you have someone working on this issue right now, so it would be a good time for interested TC members to help him get the language right on this. We figured that it could probably be stated in a generic fashion, ie avoiding reference to "holder-of-key" specifically, rather saying that the mechanism has to provide a crypto binding between the assertion and a client-wielded key, or something like that. * Regarding the issue of the generic use of "Assertions" in 800-63 as opposed to mentioning SAML or other technologies specifically, you thought it would be reasonable for the TC to issue a document as a supplement to the upcoming 800-63 stating in appropriate detail how SAML can be used to meet 800-63 requirements for use of assertions. But you're open to negotiation on this. I think that was about it. I'm glad we had a chance to get together on this, as it seems important to both the 800-63 consumers and the SAML community to get this right. - RL "Bob"