security-use message

Subject: Comments on ISSUE:[UC-13-05:SecurityPolicy]

From: Irving Reid <Irving.Reid@baltimore.com>
To: "'security-use@lists.oasis-open.org'" <security-use@lists.oasis-open.org>,'RL 'Bob' Morgan' <rlmorgan@washington.edu>,'Darren Platt' <dplatt@securant.com>
Date: Tue, 03 Apr 2001 19:47:29 -0400

The candidate text reads:
----------------------------------------------------------------------
ISSUE:[UC-13-05:SecurityPolicy] Bob Morgan proposed a business-level
requirement as follows:

     [CR-13-05-SecurityPolicy] Security measures in SAML should
     support common institutional security policies regarding
     assurance of identity, confidentiality, and integrity.

Potential Resolutions:

   1. Add this requirement to the use case and requirements document.
   2. Leave this requirement out of use case and requirements document.
-----------------------------------------------------------------------


I'm not quite sure what this requirement means. I can read it two ways:

1) SAML should have ways of encrypting, protecting integrity,
authenticating, etc.

In this case, I think we already have (or are discussing) the necessary
requirements.

2) SAML should have a way of expressing an institutional policy and then
automatically enforcing that policy through the mechanisms described in 1).

This is a much bigger issue, and one that I'd definitely like to place out
of scope.


Have I missed the point on this one, or do others also find it unclear?

 - irving -

Follow-Ups:
- Re: Comments on ISSUE:[UC-13-05:SecurityPolicy]
  - From: RL 'Bob' Morgan <rlmorgan@washington.edu>
- RE: Comments on ISSUE:[UC-13-05:SecurityPolicy]
  - From: Darren Platt <dplatt@securant.com>