OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments re sstc-saml-holder-of-key-browser-sso-draft-08

SAML V2.0 Holder-of-Key Web Browser SSO Profile
Document ID sstc-saml-holder-of-key-browser-sso-draft-08 (ODT version)

General comments:

- Draft-08 seems to be missing from the archive.  The link in the SAML
wiki still works but the linked document is not exactly the same as
the one I've reviewed (the two are off by a few lines).  I don't know
what happened to that document.

- Section 1.5 needs to be replaced with an inline revision history as
suggested in this comment:


- A section entitled "TLS Usage" seems to be required.  The text in
this new section should reference the steps in section 2.3 and
emphasize where TLS is required and where it is optional.  Where it is
optional (step 1), the possible uses of client TLS should be outlined.
 (Possible uses of client TLS at step 1 include: 1) to construct a
specific <saml:SubjectConfirmation> element, 2) to use the TLS session
in lieu of a cookie-based session, and 3) to use information in the
certificate for the purposes of IdP Discovery.)

- Step 2 in section 2.3 needs to be rewritten.  (In particular, the
last phrase in the last sentence is not clear.)  Also, I think the
Identity Provider Discovery Profile should be mentioned (as long as
you're mentioning other approaches to discovery).

- I think much of section 2.5.2 has been rewritten in draft-09.
That's good since this section needs a lot of work.

- Bullets 3 and 8 in section 2.5.3 should be combined.  Bullets 9 and
10 can be combined.

- After combining the requirements of sections 2.6 and 3, I think I
know how to configure endpoints used exclusively with Web Browser SSO
or HoK Web Browser SSO, but I'm not clear how to configure an endpoint
that permits both.  Please describe.

- I'm still waiting for an opportunity to edit this document :-)

Specific comments:

- [lines 32--39]  Here is a revised abstract:

This profile allows for transport of holder-of-key assertions by
standard HTTP user agents with no modification of client software and
maximum compatibility with existing deployments.  Most of the flows
are as in standard Web Browser SSO [SAML2Prof], but an X.509
certificate presented by the user agent through client TLS
authentication supplies a key that results in a holder-of-key
assertion. Proof of possession of the private key corresponding to the
public key in the certificate resulting from TLS authentication
strengthens the assurance of the resulting authentication context and
protects against credential theft.  Neither the IdP nor the SP are
required to validate the certificate.

- [lines 329--330] I think a reference to [SAML2HoKAP] is appropriate here.

- Add the following paragraph at the end of section 2.4.4:

If the principal is unable to prove possession of the private key
corresponding to the public key bound to the certificate (via TLS), or
the identity provider is unable to retrieve the X.509 certificate
resulting from the TLS exchange, the identity provider MUST return an
error.  Otherwise the identity provider follows the rules specified in
section 2.5.2.

- [lines 343--345] The first part of this sentence should be moved to
section 2.4.1 as a requirement for the SP.  Then rewrite the sentence
as an "if-then" requirement.

- [lines 347--350] Break this one-sentence paragraph into at least two

- [lines 360--361] I don't think there's any question that the SP will
establish a security context.  Can you give a use case where a
security context is not established?

- [lines 361--362] Can you reword this sentence for clarity?

- [lines 376--380]  I think these requirements have been reworded in
draft-09.  If not, this needs work.

- [lines 435--437] This requirement makes no sense, I think it should
be removed or at least reworded.

- [lines 461--462] Use profile names rather than URIs here.

- [lines 466--472] Is exclusivity required here?  Are there really two
sets of requirements, one for endpoints to be used exclusively with
this profile and one for shared endpoints?  I think this needs to be
made clear.  (See comments re section 3 as well.)

- [lines 490--491] This statement is true in general, not just for this profile.

- [lines 495--496] What are the "security precautions appropriate for
standard bearer assertions"?  A reference is required here.

- [lines 497--499] Here's the requirement I was looking for in section
2.6.  I think this requirement needs to be moved to section 2.6 for
clarity and precision.

Suggested edits::

- [line 27, 130] s/Profile/Profile described/

- [line 132] s/user agent needs to acquire/user agent acquires/

- [line 285] s/unsigned and//

- [line 300] s/X.509 subject/X.509 subject distinguished name/

- [line 307] s/user agent/user agent in section 2.4.1/

- [line 316] s/message using, for example,/message, using for example/

- [line 320] s/or referenced/in whole or in part/

- [line 335] s/[SAML2Bind]/the chosen binding [SAML2Bind]:/

- [line 336] s/to the/to the assertion consumer service at the/

- [line 347] s/message resulting from section 2.4.5 to the service
provider/response message to the service provider resulting from
section 2.4.5/

- [line 359] s/[SAML2Core]/[SAML2Core] and section 2.5.4/

- [line 411] s/metadata or/metadata or a <saml:SubjectConfirmation> element in/

- [line 439] s/which is not valid/that is not valid/

- [line 471] s/hoksso:ProtocolBinding attribute/attribute called

- [line 472] s/original/desired/

- [line 491] s/<saml:SubjectConfirmation>/<saml:SubjectConfirmation> element/

- [line 494] s/subject confirmations/subject confirmation elements/

- [line 501] s/assertions and protocols supporting their issuance and
confirmation have/Web Browser SSO has/

- [line 526] s/must ensure/ensure/

Tom Scavo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]