[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Note on Digital Signing in SAML (re-send)
The previous message was incomplete! Here is the complete message: ------------------------------------------------------------------ Four separate issues here: (1) Assertions MAY be signed using XML-SIG (ISSUE: enveloped, enveloping, detached? --- are we ready to make a recommendation? Do we want to constrain KeyInfo). (2) Assertions MUST be signed if the RP receives them from any intermediary (entity other than AP). (3) BUT assertions may be embedded within Response/Request messages. These may also be signed with XML-DSIG (ISSUE: as in (1) above). Question: If an assertions are contained within a signed Request/Response pair, can they "inherit" the super-signature?? Should we support this flexibility or should we insist that assertions be individually signed? (4) BUT request/response messages may themselves be embedded within other payloads (XML, MIME). These payloads may themselves be signed. Should the contained SAML messages "inherit" the super-signature?? RESOLUTIONS: (A) Do not consider any signature inheritance notion for SAML messages or assertions. (B) Include signature inheritance upto (3), do not include (4). (C) Support full inheritance upto (4).
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC