RE: ISSUE:[UC-12-01:Encryption] (was RE: Comments on Straw Man 2:Protection of message contents)

[Darren Platt <dplatt@securant.com>]

Irving,

Sorry if I suggested that we could vote on this issue before the F2F - for a
while there I was thinking there would be more time between straw man 3 and
the F2F.

Thanks for the effort.

Darren



> -----Original Message-----
> From: Irving Reid [mailto:Irving.Reid@baltimore.com]
> Sent: Monday, February 26, 2001 8:10 PM
> To: security-use@lists.oasis-open.org
> Subject: ISSUE:[UC-12-01:Encryption] (was RE: Comments on Straw Man 2:
> Protection of message contents)
>
>
> This clearly can't be ready for ballot before the F2F, but I thought I'd
> respond to Darren's suggestion. What follows is my modified suggestion for
> issue ballot text:
>
>
> ISSUE:[UC-12-01:Encryption] UC-9-02:PrivacyStatement addresses the
> importance of sharing data only as needed between security zones (from
> asserting party to relying party). However, it is also important that data
> not be available to third parties, such as snoopers or untrusted
> intermediaries.
>
> One possible solution for implementors is to use secure channels between
> relying party and asserting party. Another is to use encryption,
> either with
> a shared secret or with public keys.
>
> Possible Resolutions:
>
> 1) Include an allowance for explicit use of encryption, such as XML
> Encryption (http://www.w3.org/Encryption/2001/), within SAML
> messages. SAML
> messages could then be transferred securely on any protocol.
> 2) Specify security properties in the Bindings documents. Each
> binding must
> include a description of how the privacy and integrity of SAML
> messages can
> be protected within that binding. Examples: S/MIME for MIME, HTTP/S for
> HTTP.
>
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: security-use-request@lists.oasis-open.org
>