[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Suggested text for POST profile signature usage
The XML Sig guidelines draft includes a section with non-normative recommendations on use of signatures in the POST profile (section 5.1.1) My suggestion for SAML 1.1 is to copy or move this into the bindings and profiles document to supplement lines 694-695 that call out the requirement to sign the Response. In the 1.1 time frame, the language can use "SHOULD", to maintain compatibility with the lack of requirements in the 1.0 spec. We could indicate the intent to turn this into a "MUST" in the 2.0 spec to encourage common implementation in the future. The advantage of mandating this in the 2.0 spec is that the POST profile can be made more efficient by allowing the relying party to examine the signature syntax to determine that the necessary content has been signed (per the guidelines draft, section 4.3). Possible text follows to replace the existing lines: "The SAML response MUST be digitally signed following the guidelines given in [SAMLCore]. In addition, the response Signature SHOULD be constructed with a single Reference containing an empty ("") Reference URI and the Enveloped Signature Transform. Future versions of this specification may mandate these signature requirements and current implementers are encouraged to conform to it. Additional included assertions MAY be digitally signed. The contextual issues raised in [SigGuidelines] apply to such usage and should be taken into account when constructing an embedded signature." -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC