OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: SAML V2.0 HoK Web Browser SSO Profile (draft-11)

On Sun, Jan 11, 2009 at 8:15 PM, Tom Scavo <trscavo@gmail.com> wrote:
> Draft-11 of the SAML V2.0 HoK Web Browser SSO Profile has been
> uploaded to the document repository:
>
> http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
>
> This draft of the SAML V2.0 Holder-of-Key Web Browser SSO Profile has
> been edited for clarity and preciseness.  The spirit and intent of
> Nate Klingenstein's original work has been mostly preserved in
> draft-11.  Since nearly every paragraph has been touched, in some
> cases totally rewritten, no diff has been provided.  However, I will
> summarize the changes made to the profile on next Tuesday's call.
>
> Tom Scavo
> NCSA

Here is a list of sections in the draft-11 where the language differs
significantly from that in draft-10:

- Section 1.5 (Conformance).  HTTP POST and HTTP Redirect are
mandatory to implement.  HTTP Artifact is OPTIONAL.

- Section 2.4 (TLS Usage) is completely new.  Paragraph at lines
334--340 is new, otherwise this section is a reformulation of the TLS
requirements previously scattered about (or implied).

- Section 2.5 (Choice of Binding) is completely new.  Suggests
SimpleSign may be used, otherwise there's nothing new here.

- Aside: Is SimpleSign allowed?  Does it make sense to use SimpleSign
in a profile meant to be "stronger" than ordinary Web Browser SSO?  If
SimpleSign is allowed, then language using the words "sign" or
"signing" needs to be loosened.

- Section 2.7.1 (<samlp:AuthnRequest> Usage).  The request may be
signed (period).  New requirements regarding the XML attributes on the
<samlp:AuthnRequest> element.  Removed the redundant requirement re
AllowCreate="true".

- Section 2.7.2 (<samlp:AuthnRequest> Message Processing Rules). New
rules in the case where the request is signed.  Clarification of
behavior if the XML attributes on the <samlp:AuthnRequest> element are
missing.

- Section 2.7.3 (<samlp:Response> Usage).  Clarification re strongly
matching subjects.  Additional language in the case where multiple
<saml:AuthnStatement> elements are issued (see lines 529--537).

- Section 2.7.4 (<samlp:Response> Message Processing Rules).  Behavior
in the case of multiple <saml:AuthnStatement> elements (basically, SP
behavior is unspecified).  Removed requirement: "SHOULD NOT rely on
any other data."

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]