[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] (ex / non ex) canonical XML
We copied the actual signing profile from Liberty ID-FF 1.1, which correctly identified the need for a signature profile. One of the reasons is c14n, but that's not the big one. The real issue in SAML 1.0 was the lack of ID attributes. Nobody involved knew enough about dsig to understand that XPath signing is terrible. To ease the job of implementers, we needed to profile the reference and transforms into a constrained set so people didn't have to grok anything to figure out what was signed. That was the key fix, but also the break in compatibility. As to your question, signing just doesn't work interoperably in SAML 1.0, so that's the basic answer. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]