[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Note on Digital Signing in SAML
Three separate issues here: (1) Assertions MAY be signed using XML-SIG (ISSUE: enveloped, enveloping, detached? --- are we ready to make a recommendation? Do we want to constrain KeyInfo). (2) Assertions MUST be signed if the RP receives them from any intermediary (entity other than AP). (3) BUT assertions may be embedded within Response/Request messages. These may also be signed with XML-DSIG (ISSUE: as in (1) above). Question: If an assertions are contained within a signed Request/Response pair, can they "inherit" the super-signature?? Should we support this flexibility or should we insist that assertions be individually signed? (4) BUT request/response messages may themselves be embedded within other payloads (XML, MIME). These payloads may themselves be signed. Should the contained SAML messages "inherit" the super-signature?? >>-----Original Message----- >>From: christopher ferris [mailto:chris.ferris@east.sun.com] >>Sent: Saturday, June 30, 2001 7:10 AM >>To: kelvin.beeck@talkingblocks.com >>Cc: 'Mishra, Prateek'; 'Evan Prodromou'; >>security-services@lists.oasis-open.org >>Subject: Re: Note on Digital Signing in SAML >> >> >>Agreed. Often, both signatures are required to establish >>the authenticity of the assertion. >> >>Kelvin Beeck wrote: >><snip/> >>> >>> It seems to me that assertions would often need to be >>signed independent of >>> a composite signature (as part of the protocol binding) >>because issued >>> assertions usually become the input for other queries (eg. >>an authentication >>> assertion as input to an PDP authorization query) or may be >>bound to a >>> payload. >>> >>> The requirement is based on the trust relationship - i.e. >>do I trust an >>> assertion because I trust the bearer, or do I need to >>verify that the >>> assertion came from the stated issuer (I would think so). >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC