[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AI (partial): XML Sig processing rules
As I expected, I haven't had time to formulate a complete proposal yet, but as a harbinger, I'd like to summarize the Liberty 1.1 spec language in section 3.1.5 of protocols/schemas, which describes rules for signature processing. They are essentially what I would propose we adopt for SAML, now that ID attributes are present. Almost all of the stuff I wrote in the guidelines draft is either background material to explain issues, or obsolete because the ID attributes solve the "how to reference a fragment" problem. Basically, the rules are: Signers MUST use a URI fragment (referred to in the spec as a bare XPointer) to point to the Request/Response/Assertion being signed, using its ID attribute. This looks like <Reference URI="#foo"> where foo is the value of the ID. Signers MUST NOT assume that the signed XML is at the root of the eventual document (but this could be relaxed for profiles that mandate it). Signers SHOULD NOT use Transforms other than: Enveloped Signature Exclusive XML Canonicalization Receivers MAY reject messages that use other transforms. Receivers MUST NOT accept other transforms unless they verify that none of the SAML data is excluded from the Reference. Signers SHOULD use Exclusive C14N in the SignedInfo C14NMethod. These rules are simple, use only mandatory parts of the spec (except for Excl C14N, which is a necessary piece regardless), and should solve the interop problems. I recommend that we simply adopt the rules without regard for the 1.0 spec language or compatibility, since there was no real interop possible with those rules. I've barely been able to maintain interop with myself in Shibboleth! ;-) -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]