Hi all,
I had a discussion in CTAB about the deployment profile “encryption” section. One thing that came up was confusion over the scope of the cryptography requirement. Specifically it came up in the context of asking whether any of the requirements in that section apply to TLS connections (they don’t; they apply only to the cryptography used on the actual XML content). While all of the cipher suite links themselves are links into “xml*” URLs, the underlying algorithms and the phrase “when communicating with peers” could be (have been) read to apply to non-XML cryptography (such as TLS).
This raised the question of whether we should call out more explicitly that we’re only talking about XML-related cryptography. Also not clear what would be the best wording for that should the answer be “yes".
It seems like maybe a small text change would fix this - perhaps as simple as adding a prepositional phrase – but as with the last XML-wording related issue that was raised, I’m not sure what verb and noun make the most sense and would be most precise.
Current:
Deployments MUST support, and use, the following algorithms when communicating with peers in the context of this profile. Where multiple choices exist, any of the listed options may be used. The profile will be updated as necessary to reflect changes in government and industry recommendations regarding algorithm usage.
Potential Draft-y updated text (boldfaced addition; also removed “when communicating with peers”):
Deployments MUST support, and use, the following algorithms *when signing or encrypting SAML XML content* in the context of this profile. Where multiple choices exist, any of the listed options may be used. The profile will be updated as necessary to reflect changes in government and industry recommendations regarding algorithm usage.
Again, not sure how best to focus this proposed, hopefully minor change to clarify.
I’m not opposed, and I feel like your proposed wording is sound, but I feel like it should be obvious. The profile documents SAML deployments, not the transport over which the SAML takes place. Nothing against InCommon CTAB as there are some smart people on there, but I feel like if you have to ask whether this refers to TLS, you shouldn’t be reading this profile.
Thoughts from others?
Keith