OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments re sstc-saml-holder-of-key-browser-sso-draft-10

There are a couple of requirements in draft-10 of the HoK Web Browser
SSO Profile [1] that require further discussion.

First, the HoK Web Browser SSO Profile specifies (lines 384--385) that
the <samlp:AuthnRequest> element MAY be signed, yet Core specifies
(lines 2012--2013) that the <samlp:AuthnRequest> element SHOULD be
signed.  The HoK Web Browser SSO Profile goes on to give the following
requirement (lines 392--393):

"If the <samlp:AuthnRequest> is not authenticated and integrity
protected, the information in it MUST NOT be trusted except as

Sorry, I do not understand the above requirement.  To make matters
worse, the HoK Web Browser SSO Profile specifically recommends against
signing in the section on Security and Privacy Considerations (lines
522--523).  How do we reconcile this apparent discrepancy with regard
to request signing?  What are the proper requirements with respect to
signing the AuthnRequest?

Second, I know we've discussed this before, but I think a
<samlp:Response> element issued under HoK Web Browser SSO should
contain one and only one <saml:AuthnStatement> element.  I can't
imagine why you'd want more than one, and even if multiple
<saml:AuthnStatement> elements were allowed, I would think you'd want
them to be identical.

I know the language in the HoK Web Browser SSO Profile is
intentionally similar to that in the ordinary Web Browser SSO Profile,
but is there really a use case for multiple <saml:AuthnStatement>


[1] http://www.oasis-open.org/committees/download.php/30309/sstc-saml-holder-of-key-browser-sso-draft-10.odt

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]