OASIS ebXML Messaging Services TC

 View Only

FW: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]

  • 1.  FW: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]

    Posted 05-30-2013 04:53
    Title: SAML and EBMS 3.0 [SEC=UNCLASSIFIED] Hi All,             Received the following from one of my colleagues in the Australian Government. I am assuming that dual signing is neither desirable nor intended. Is this something we can discuss and clarify?   Regards, Ian. Ian Otto Security Architect VANguard and Infrastructure Branch eBusiness Division __________________________________________ Department of Industry, Innovation, Science, Research and Tertiary Education SAP House, Level 8.49, Bunda Street, Canberra City ACT 2600 GPO Box 9839, Canberra ACT 2601 Ph: +61-2-6276 1660 Fax: +61-2-6213 6684 Mobile: +61 403 458 215 Email:  Ian.Otto@innovation.gov.au Internet: http://www.innovation.gov.au ABN 74 599 608 295               From: Jones, Dean (Security Architect) [mailto:Dean.Jones@ato.gov.au] Sent: Wednesday, 29 May 2013 5:45 PM To: Young, Malcolm; Otto, Ian Subject: SAML and EBMS 3.0 [SEC=UNCLASSIFIED]   Hi Malcolm, Ian, There are currently some discussions going on here about the EBMS standard. I was pulled in to give my opinion about the following extract from the standard and how it affects us using SAML with EBMS. Without looking deeply into the context my answer was that SAML could not be used as the sole mechanism for message integrity. If SAML signing were used (and we didn't want to break the standard) then we would have a dual signed EBMS message. Do you have a different view? Thanks. 2328 7.2. Signing Messages 2329 Signing of ebMS Messages is defined in Web Services Security [WSS10] and [WSS11]. Support for 2330 WSS X.509 Certificate Token Profile is REQUIRED to sign a message.   <<ebms_core-3.0-spec.zip>>   Dean Jones Security Architect Middleware and Common Services / Integrated Common Services Ph: 621 64369 Mobile: 0407 452 388   ********************************************************************** IMPORTANT     The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties. If you have received this e-mail in error please notify the Privacy Hotline of the Australian Taxation Office, telephone 13 2869 and delete all copies of this transmission together with any attachments. ********************************************************************** ************************************************************************* The information contained in this e-mail, and any attachments to it, is intended for the use of the addressee and is confidential.  If you are not the intended recipient you must not use, disclose, read, forward, copy or retain any of the information.  If you received this e-mail in error, please delete it and notify the sender by return e-mail or telephone. The Commonwealth does not warrant that any attachments are free from viruses or any other defects.  You assume all liability for any loss, damage or other consequences which may arise from opening or using the attachments. The security of emails transmitted in an unencrypted environment cannot be guaranteed. By forwarding or replying to this email, you acknowledge and accept these risks. *************************************************************************