[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Digital Signature Usage in X.509 Subject Attribute Query Specifications
On Wed, Apr 8, 2009 at 11:32 AM, Anil John <aniltj@gmail.com> wrote: > > In looking over the usage of digital signatures between the "SAML v2.0 > Attribute Sharing Profile for X.509 Authentication-Based Systems" [1] and > the "SAML v2.0 Deployment Profiles for X.509 Subjects" [2], came across a > difference and am hoping to get a bit of background on the difference. > > In [1] Encrypted Mode (Request), the <samlp:AttributeQuery> element MUST be > signed. > In [2] Encrypted Mode (Request), the <samlp:AttributeQuery> element MUST be > signed. > > So their usage in the Request is for all intents and purposes identical. > > In [1] Encrypted Mode (Response), both the <saml:Assertion> AND the > <samlp:Response> MUST be signed. > In [2] Encrypted Mode (Response), the <saml:Assertion> MUST be signed, but > the <samlp:Response> MAY be signed. > > Could anyone provide a bit of background on the optional signing of the > <samlp:Response> in [2]? Well, [2} was introduced primarily because [1] was thought to be overly restrictive (by me at least :) in some respects. A synchronous exchange over a protected transport need not be further protected at the message level, in general. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]