Ben Campbell <ben(_at_)nostrum(_dot_)com> writes:
-- section 7
Does the GSS-API description introduce security considerations? If
not, please say so.
I did not see a response to this comment.
I missed this in my last e-mail. I propose we add another sub-section
of the security considerations like this:
7.5. GSS-API specific security considerations
Security issues inherent in GSS-API (RFC 2743) and GS2 (RFC 5801)
apply to the SAML GSS-API mechanism defined in this document.
Further, and as discussed in section 4, proper TLS server identity
verification is critical to the security of the mechanism.
I believe this should cover the relevant security considerations. Of
course, having more implementation experience with the SAML mechanism
used as a GSS-API mechanism may help to identify further security
considerations for the GSS-API mechanism. However, I don't believe that
is a show-stopper that prevent publication now.
/Simon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf