Archive for the ‘SAML’ Category

« Older Entries

Sunday, May 7th, 2017

Web Authentication Working Draft rev 5 (WD-05) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20170505/

The latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/

Please note that this spec is only a Working DRAFT and will change, possibly in “breaking” ways. While not a candidate recommendation, this version is informally intended by the working group to be an Implementer’s Draft, which will be used for experimenting with implementations of the API.

WebAuthn WD-05 features many significant changes from the prior version:
* Alignment with Credential Management (CredMan): https://w3c.github.io/webappsec-credential-management/
* Using the term Public Key Credentials rather than Scoped Credentials
* Algorithms updated to more precisely define their operations and to be CredMan compatible
* Expanded and more explicit specification of the extensions framework
* Terminology expansion and polishing
* and more…

HTML “inline” Diff: http://www.kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05–from–index-master-tr-ce7925c-WD-04.html

PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05–from–index-master-tr-ce7925c-WD-04.pdf

Wd-05 Release Page at github: https://github.com/w3c/webauthn/releases/tag/WD-05-20170505

Average Rating: 4.4 out of 5 based on 222 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Draft Specs, Protocols, Web Security | No Comments »

Tuesday, October 2nd, 2012

As I’d noted back in July, the draft HSTS spec was in IETF-wide last call, from which we exited in August with various helpful comments. We applied summore elbow grease to the ol’spec and shipped it to the IESG (Internet Engineering Steering Group) for further inspection, received more good comments, subsequently applied more tweaks and polish, and voila(!), this morning we have this little missive in our email…

[websec] Protocol Action: ‘HTTP Strict Transport Security (HSTS)’ to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)

At this point, the draft HSTS spec will be placed on the RFC Editor’s queue (which is fairly large & diverse) and will emerge in several weeks as an RFC with a proper RFC number and all.

Many thanks to all who’ve contributed, especially to Collin Jackson & Adam Barth for originally inventing this approach (which they dubbed “ForceHTTPS“).

=JeffH

PS: The Wikipedia HSTS entry has a consolidated specification history as well as information regarding implementation and deployment.

Average Rating: 4.7 out of 5 based on 243 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:, , , ,
Posted in Draft Specs, IETF, Protocols, Security, Web Security | No Comments »

Tuesday, November 4th, 2008

There’s a new revision of the SIP-SAML profile spec..

SIP SAML Profile and Binding
http://www.ietf.org/internet-drafts/draft-ietf-sip-saml-05.txt

The key changes in this revision are that we’re aiming for experimental track (for now) due to a subtle-but-important impedance mismatch with the “SIP Identity” spec (RFC 4474, which we build upon), and we’ve add an additional profile to the spec. This new profile simply specifies SAML assertion conveyance “by value” in the body of SIP message(s) rather than “by reference”.

Note that the overall notion of “SIP Identity” has been in-flux over the last year+. Once that set of issues is (hopefully) resolved, then we can do another SIP-SAML spec on the standards track.

Also, the SIP WG co-chairs have called for Working Group Last Call on this -05 revision.

=JeffH sez getcher comments in!

Average Rating: 4.4 out of 5 based on 245 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Draft Specs, Identity, IETF, SAML, SIP, VoIP | 1 Comment »

Monday, January 21st, 2008

Eve (aka xmlgrrl) posted the following bit of musing today..

Circles of trust: disaster? or really bad idea?
http://www.xmlgrrl.com/blog/archives/2008/01/21/circles-of-trust-disaster-or-really-bad-idea/

..which I tend to think hits the proverbial nail pretty squarely on the head wrt “open internet”, “trust all comers”, and “trust circles”.

One very small, detail-level comment I have on her post is that where she writes..

(where users are okay with this sort of back-channel communication)

..I would instead make it explicitly clear that “users” sometimes don’t have any direct say with respect to the machinations of the IT department on their behalf. Hence I would write it as..

(where users are okay with this sort of back-channel communication, or where they don’t have any say (e.g. in an enterprise deployment))

Note I don’t feel that the latter is necessarily a good thing, but it’s reality in corporate, governmental, and education worlds (at least), and no amount of attesting that “I want to own my identity data!” is going to change it any time soon (admittedly unfortunately). Besides one’s identity, outside of one’s own thoughts, “..is a story“, as Bob Blakley noted a while back, but has been understood for quite a while by social scientists and philosophers (see, for example, Erving Goffman).

But I digress… 😉

Average Rating: 4.6 out of 5 based on 167 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Deployment, Identity, OpenID, SAML, Security, Trust | 1 Comment »

Tuesday, December 18th, 2007

It looks like this new SAML wiki..

SAML.XML.org

..opened for business on or about the middle of October 2007. Looks like it’ll be a good resource for the wide SAML community.

There’s also another wiki that’s apparently for the members of the OASIS Security Services Technical Committee (SSTC – the group creating and shepherding the SAML specs)..

SSTC Wiki

..so it looks like we’ll have to be careful to figure out what sort of content goes where.

Average Rating: 4.8 out of 5 based on 203 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Community, SAML, Uncategorized | No Comments »

Tuesday, December 18th, 2007

This page..

SAML Open Source Implemenations

..lists eight (at this time) open source SAML implementations of one flavor or another. If you have one and it isn’t listed there as yet, create an account and edit the wiki page appropriately 😉

Average Rating: 5 out of 5 based on 295 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Open Source, SAML, Software | No Comments »

Friday, September 21st, 2007

I’ve updated the SAML-lSSO and SAML OpenID Profile specs just to bring them up-to-date with the latest revisions of various SAML and OpenID specs and to fix minor editorial issues. The SAML-lSSO spec is presently not a current IETF Internet-Draft — it’s prior version expired a few months ago. We’re thinking about whether we want to pursue that spec “officially” or not. The issue with it being that in implementing it, one can optionally turn security completely off — which is a “feature” various folks advocating for so-called “open Internet” identity management desire. But SDOs such as IETF, OASIS, W3C, Liberty Alliance, etc all would look askance at blessing such a spec. In fact the IETF definitely would not allow it to go forward in that they have an explicit policy against promulgating insecure protocols.

The SAML OpenID Profile is a simple hack I threw together a year or so ago (in a single afternoon) to prove the point that there’s nothing OpenID accomplishes protocol- and user-experience-wise that is inherently un-do-able with SAML. [1]

Anyway, here’s the links to said specs…

SAMLv2 Lightweight Web Browser SSO Profile

OpenID-SAML Lightweight Web Browser SSO Profile – Draft 02

=JeffH sez check ’em out.

[1] Note that I’m not claiming that they are equivalently “easy” to implement. By “implement” I mean to write code implementing the protocol on both or either the Relying Party or Identity Provider (aka OpenID Provider) side. Also note that I don’t use the term “implemneting” as a synonym for “deployment”. Also, I am not claiming that they are equivalently “easy” to deploy. Almost all the artifacts of deployment are inherent in how a protocol is implemented. A “feature” that’s often claimed about OpenID as a differentiator is that anyone with a minimally capable hosting environment can field an OpenID relying party. I.e. they don’t need root access, nor access to their webserver configuration, etc. In fact, the same is true with some (all?) of the “scripty” SAML implementations, e.g. ZXID being a case in point.

Average Rating: 4.4 out of 5 based on 279 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Draft Specs, Identity, SAML | No Comments »

Friday, September 7th, 2007

Andreas Ã…kre Solberg writes on his Feide blog..

simpleSAMLphp 0.3 is launched. Most interesting in this new release is the SAML 2.0 IdP functionality. The documentation is not covering everything in detail yet, but it should be sufficient to get something up running.

The simpleSAMLphp 0.3 package also features a Shibboleth 1.3-compatible SP written in PHP.

Average Rating: 4.7 out of 5 based on 205 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Open Source, SAML, Security, Software, Uncategorized | No Comments »

Friday, February 9th, 2007

Here’s someone — Phil Duba — out in the wide web-developer world who’s picked up the SAML specs, largely figured them out, and is working on integrating it (SAML-based SSO) into sites built with Cold Fusion

SAML and ColdFusion – Part 1
http://www.philduba.com/index.cfm/2006/12/29/SAML-and-ColdFusion–Part-1

SAML and ColdFusion – Part 2
http://www.philduba.com/index.cfm/2007/2/9/SAML-and-ColdFusion–Part-2

Cool Stuff.

Average Rating: 5 out of 5 based on 236 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Adoption, SAML | Comments Closed

Friday, February 2nd, 2007

The latest revision of the SAML HTTP POST-SimpleSign Binding Spec is here…

draft-sstc-saml-binding-simplesign-02
http://www.oasis-open.org/committees/download.php
/21715/draft-sstc-saml-binding-simplesign-02.pdf

Diff version: draft-sstc-saml-binding-simplesign-02-diff
http://www.oasis-open.org/committees/download.php
/21716/draft-sstc-saml-binding-simplesign-02-diff.pdf

The salient difference between this new rev of this spec and the prior rev (which is at “Committee Draft” maturity level and out for Public Review) is that now we sign the SAML protocol message’s raw XML representation, rather than base64 encoding it first (as we specified in the previous revs of this spec). The reason for this change is..

Experimentation shows that many web browsers alter linefeeds when submitting form controls that span multiple lines. Since base64-encoded data often wraps, it is not possible to guarantee that the values submitted will match what the original signer produced, resulting in verification failures. Using the raw XML content as a component of the octet string addresses this issue.

..which is a direct quote from the new spec revision (at line 205).

JeffH sez check it out.

Average Rating: 4.7 out of 5 based on 238 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Draft Specs, SAML | No Comments »

« Older Entries