OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Note on Digital Signing in SAML (re-send)

Title: RE: Note on Digital Signing in SAML (re-send)

Prateek - It is important to specify BY WHOM the assertions must be signed, not merely that they BE signed.  Whoever signs them may be considered the issuer.  If an unsigned assertion is embedded in a signed response, then it may be deemed to have been issued by the responder.  If one is embedded in a signed message, then it may be deemed to have been issued by the sender.  The question is, under what circumstances should the responder or sender be considered a suitable issuer.  Each protocol profile should be considered separately from this point of view and the signer requirement stipulated.  Best regards.  Tim.

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Tuesday, July 03, 2001 11:59 AM
To: Mishra, Prateek; 'christopher ferris';
'kelvin.beeck@talkingblocks.com'
Cc: 'Evan Prodromou'; 'security-services@lists.oasis-open.org'
Subject: RE: Note on Digital Signing in SAML (re-send)


The previous message was incomplete! Here is the complete message:
------------------------------------------------------------------

Four separate issues here:

(1) Assertions MAY be signed using XML-SIG
(ISSUE: enveloped, enveloping, detached? --- are we ready to
make a recommendation? Do we want to constrain KeyInfo).

(2) Assertions MUST be signed if the RP receives them from any
intermediary (entity other than AP).

(3) BUT assertions may be embedded within Response/Request
messages. These may also be signed with XML-DSIG (ISSUE: as in
(1) above). Question: If an assertions are contained within
a signed Request/Response pair, can they "inherit" the
super-signature?? Should we support this flexibility or
should we insist that assertions be individually signed?

(4) BUT request/response messages may themselves be embedded
within other payloads (XML, MIME). These payloads may themselves
be signed. Should the contained SAML messages "inherit" the
super-signature??


RESOLUTIONS:

(A) Do not consider any signature inheritance notion for
SAML messages or assertions.

(B) Include signature inheritance upto (3), do not include
(4).

(C) Support full inheritance upto (4).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC