OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] XAdES signatures in SAML v2.0?

Hi Scott,

in the EU (and also in Hungary) we have to use not just the core XML Signature structure of XMLDSIG but the XAdES structure (which is built on the XMLDSIG). The XAdES extends the core XMLDSIG with e.g. several type of timestamps, revocation data and other metadata - and also uses an extra (mandatory) ds:Reference element that must cover such additional data, metadata. The XAdES structure keeps schema validity with core XMLDSIG, just extends it.

So, my answer is that there is no v2.0 for XMLDSIG, but there is an XMLDSIG-based XAdES structure since 2002 (v1.1.1 of ETSI TS 101 903) that has to be applied. And also SAML v2.0 should be used. And now, I am a bit confused how to use XAdES signatures in SAML v2.0 messages because of this requirement:

"Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID attribute value of the root element of the assertion or protocol message being signed."

My suggestion to bypass this problem: can we say, that this requirement of SAML v2.0 refers to just the original data-to-be-signed, excluding other metadata (that must be also covered by default, as XAdES specification says)?

Best regards,
Aron


---

Had XML Signature 2.0 been moved forward, I don't know how or if we even could have managed that, but it would be a very complex problem to change the signature profile. I suspect it would have to be done as an Extension, and I would say the same here. 

You will break every existing implementation, in other words, because you'll have to omit the usual Signature. 

-- Scott

---

Hi,

I have a question in connection with the security (XML-based signature) layer of SAML v2.0 standard.

In Hungary - as a Member State of EU - we have to apply XAdES-based XML signatures in order to comply the e-signature EU directive and other legislations. There is need to also cover SAML-based messages by this legislation, but I found that I can not apply XAdES structure for at least one reason. This blocking requirement is the following (in the SAML v2.0 core documentation):

"Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID attribute value of the root element of the assertion or protocol message being signed."

The XAdES-structure also makes reference over the subset nodes of xades:SignedProperties (there must be at least two ds:Reference elements instead of a single one).

Could you suggest me a solution how to solve the problem and apply XAdES-signatures on SAML messages?

Thanks in advance!

Best regards,
Aron Szabo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]