OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] [XML Signature]SAML profile of XML Signat ure


One thing that has been a concern for me throughout DigSig is that the
terminally clueless are apt to write a routine of the form:

1) Take Assertion
2) Check Signature
3) Trust the assertion

The problem being that the scope of the signature may not be correct.

An application that uses DigSig should do the following:

1) Take Assertion
2) Process through the transformation steps specified in the Signature
3) Check the signature
4) Trust the output of the transformation steps.


		Phill


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Wednesday, October 24, 2001 10:07 PM
> To: oasis sstc
> Subject: [security-services] [XML Signature]SAML profile of XML
> Signature
> 
> 
> Hi all,
> 
> 	Here is version 0.002. I have the change bars (for 
> those who had read thru
> the previous version).
> 
> 	1.	Would like to get a read on the document. What 
> else need to be added ?
> My initial feeling is that we leave the keyInfo, the choice 
> of algorithms et
> al to the users. IMHO, this spec should be as thin as possible.
> 	2.	Are you comfortable with the issues and 
> resolution in Section 6 ?
> 	3.	There is the issue of associating payload with 
> a header et al. I think
> that belongs to the bindings document as there is no generic way of
> expressing this relationship without knowing the protocol (E.g.. SOAP)
> 
> 	cheers
> 
> 

Phillip Hallam-Baker (E-mail).vcf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC