[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] role of public key in encrypted assertion
Thanks for the quick reply, Scott! * Cantor, Scott <cantor.2@osu.edu> [2012-11-04 16:05]: > On 11/3/12 9:36 PM, "Peter Schober" <peter.schober@univie.ac.at> wrote: > >This message (that's all of it) seems to imply that the incriminated key > >at: > >/Response/EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedK > >ey/ds:KeyInfo/ds:X509Data/ds:X509Certificate > >should be the IdP's public key. > > Nope. > > >From glancing over XMLenc (section 3.5.1) and section 3.2.2 of the old > >"SAML Implementation Guidelines" (returned by $searchengine) I > >conclude that the SP's public key is included in order to inform the > >SP which of its keys had been used to encrypt the payload (encryption > >key). > > Yep. > > >Furthermore my guess is that the SP's tech-c (writing the above to me) > >is mistaken and thinks of (unencrypted) XMLsig, where it would make > >sense to include the issuer's public key in order to aid the SP in > >verifying the issuer's signature. > > They'd both be there most likely but in different places in the message. > If the response weren't signed, then the IdP's key won't appear anywhere > until the encrypted assertion were decrypted. If it was, then both would > be visible prior to decryption. Yeah, the assertion is signed but not the response, so the IdP's key isn't yet visible. Thanks, -peter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]