[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: [security-services] X509 Authn Attribute Profile erratum?
Hi Rick – we discussed this on the
SSTC call today. Scott seemed to recall explicitly asking about whether
it was intending that both the Assertion and the Response must be signed, which
is what the text in the intro of section 4.0 implies. It says that the
Response must be signed, but then sections 4.2.1 and 4.2.3 say the assertion
must be signed (yet the subsections don’t mention signing the Response). If it was intended that both be signed,
then the section 4.2.1 (<Response> Usage) should be changed to state that
the response must contain a <ds:Signature> element. But signing both the assertion and the
response is usually overkill unless you believe that the issuer of the
assertion is a completely different trusted entity than the sender of the
Response message. I don’t believe that would ever be the case in
this profile. I believed the intent was to just sign the
Assertion which is what sections 4.2.1 and 4.2.3 were saying. But Scott’s
recollection called that into question. Can you elaborate? Rob Philpott From: Philpott, Robert
[mailto:rphilpott@rsasecurity.com] I believe the intro is wrong and that
section 4.2.1 is correct. I recommend changing the phrase: “both by signing the <Response>
message and through TLS or SSL server authentication.” To “both by signing the <Assertion>
element in the <Response> message and sending the <Response> using
TLS or SSL server authentication.” Rob Philpott From: Ari Kermaier
[mailto:ari.kermaier@oracle.com] In the overview in Section 4
"Encrypted/Signed Mode" line 194, the profile specifies that the
responding IdP MUST sign the <Response>. In Section 4.2.1 "<Response> Usage" line 250
and in Section 4.2.3 "Use of Digital Signatures" line 280 it
specifies that the <Assertion> MUST be signed. Which is it? Ari Kermaier |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]