Re: Attribute Sharing Profile for X.509 Authentication-Based Systems (Draft-12) - Tom Scavo - org.oasis-open.lists.security-services

12 messages in org.oasis-open.lists.security-servicesRe: Attribute Sharing Profile for X.5...

From	Sent On	Attachments
Tom Scavo	Mar 25, 2007 2:51 pm
Tom Scavo	Mar 27, 2007 9:58 am
Tom Scavo	Mar 27, 2007 10:16 am
Staggs, David (SAIC)	Mar 27, 2007 10:27 am	.doc
Anderson, Steve	Mar 28, 2007 8:02 am	.doc
Scott Cantor	Mar 28, 2007 9:14 am
Ari Kermaier	Mar 29, 2007 9:27 am
Tom Scavo	Mar 29, 2007 9:31 am
Ari Kermaier	Mar 30, 2007 9:03 am
Hal Lockhart	Apr 9, 2007 2:37 pm
Staggs, David (SAIC)	Apr 10, 2007 9:41 am	.doc
Ari Kermaier	Apr 12, 2007 11:13 am

Subject:	Re: Attribute Sharing Profile for X.509 Authentication-Based Systems (Draft-12)
From:	Tom Scavo (trsc...@gmail.com)
Date:	Mar 27, 2007 10:16:57 am
List:	org.oasis-open.lists.security-services

On 3/25/07, Tom Scavo <trsc...@gmail.com> wrote:

Draft-12 of the Attribute Sharing Profile has been uploaded to the archive:

http://www.oasis-open.org/apps/org/workgroup/security/download.php/23148/sstc-saml-x509-authn-attrib-profile-draft-12.odt http://www.oasis-open.org/apps/org/workgroup/security/download.php/23149/sstc-saml-x509-authn-attrib-profile-draft-12.pdf http://www.oasis-open.org/apps/org/workgroup/security/download.php/23150/sstc-saml-x509-authn-attrib-profile-draft-12-diff.pdf

To summarize, the following normative changes were made in draft-12:

1. The profile identifiers were changed.

OLD: urn:oasis:names:tc:SAML:profiles:query:attributes:X509-basic NEW: urn:oasis:names:tc:SAML:2.0:profiles:query:attribute:X509-basic

OLD: urn:oasis:names:tc:SAML:profiles:query:attributes:X509-encrypted NEW: urn:oasis:names:tc:SAML:2.0:profiles:query:attribute:X509-encrypted

2. The following sentence was added to section 4.2.2 (Use of Encryption):

A symmetric key transmitted in an <xenc:EncryptedKey> element MUST NOT be later reused by the service provider as a previously established symmetric key.

3. The mixing of encrypted and unencrypted assertions is prohibited in Encrypted Mode.

4. The following line was deleted in section 4.2.2 (Use of Encryption):

This procedure MUST be supported by the service provider.

Likewise the following line was deleted in 4.3.2 (Use of Encryption):

This procedure MUST be supported by the identity provider.

5. Both the assertion and response MUST be signed in section 4.3.3 (Use of Digital Signatures).

Tom

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets