OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: REVISED Issue Group 12, yet again.

> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Friday, March 30, 2001 9:39 AM

> In spite of you heroic efforts, unfortunately I still have problems.

> First, and perhaps unimportantly, I think a) only Assertions need
> confidentiality protection

That was a missed edit on my part - I changed 'message' to 'assertion'
everywhere else.

> and that b) it should be possible 
> to protect only
> specific fields within the Assertion.

I'm inclined to look at that as a design issue for the Core Assertions
group, rather than something the Use Cases group should produce a specific
requirement for.

> More importantly, I think it should be required in the spec and of
> conforming implementations, but its use not be required in 
> any particular
> deployment. 

I have no objection to that. We need good wording for "SAML shall define a
format so that the desired information may _optionally_ be encrypted, and
conforming SAML implementations must support generating and receiving
encrypted data when desired by the particular deployment."

> > ISSUE: [UC-12-03:BindingConfidentiality]
> > 
> > Proposed solutions; choose one of:
> > 
> > 1) Add the requirement:
> > [R-BindingConfidentiality] Each protocol binding should include a
> > description of how the confidentiality of SAML data can be 
> > protected within
> > that binding. Examples: S/MIME for MIME, HTTP/S for HTTP.
> > 
> > 2) Add the requirement:
> > [R-BindingConfidentiality] Each protocol binding must ensure 
> > that SAML data
> > is protected from observation by third parties.
> > 
> > 3) Do not add either requirement.
> > 
> > In either case, Use Cases should be edited to call out this 
> > requirement
> > where appropriate.
> This ignores two possibilities.
> 1) For a given instance of a given use case there is no need 
> to exchange
> data which is sensitive, for example because it is public 
> knowledge, e.g.
> John Smith is a M.D.
> 2) The owners of a deployment may decide that the 
> confidentially of the
> information can adequately be protected by alternate means, 
> e.g. a secure
> network.
> It also occurs to me that there might be a binding for which 
> no encryption
> method is available. Rather than force us to either drop the 
> binding or
> invent our own method, I would prefer to address the risk in 
> the security
> considerations section of that binding.

While the wording on alternative 1) isn't clear about this, I had intended
the first option to cover these cases. The distinction I intended between 1)
and 2) is that in 1) protection by the binding is optional, and in 2) it is
required. I also intended by the slightly loose wording "should include a
description of how..." that the description could be "This binding doesn't
protect confidentiality. Use at your own risk."

> -----------------
> I am not sure if this means I am simply voting for making confidentiality
> optional in the spec. I want to direct the various subcommittees to deal
> with the issue and define mechanisms wherever possible, but not at the
> of either a) inventing new schemes or b) delaying the publication of SAML.
> Hal

That's _exactly_ what I want. If only I could get the words right...

 - irving -

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC