OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] (ex / non ex) canonical XML


We copied the actual signing profile from Liberty ID-FF 1.1, which correctly
identified the need for a signature profile.

One of the reasons is c14n, but that's not the big one. The real issue in
SAML 1.0 was the lack of ID attributes. Nobody involved knew enough about
dsig to understand that XPath signing is terrible. To ease the job of
implementers, we needed to profile the reference and transforms into a
constrained set so people didn't have to grok anything to figure out what
was signed.

That was the key fix, but also the break in compatibility.

As to your question, signing just doesn't work interoperably in SAML 1.0, so
that's the basic answer.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]