OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [security-services] X509 Authn Attribute Profile erratum?

Hi Rick – we discussed this on the SSTC call today.  Scott seemed to recall explicitly asking about whether it was intending that both the Assertion and the Response must be signed, which is what the text in the intro of section 4.0 implies.  It says that the Response must be signed, but then sections 4.2.1 and 4.2.3 say the assertion must be signed (yet the subsections don’t mention signing the Response).

 

If it was intended that both be signed, then the section 4.2.1 (<Response> Usage) should be changed to state that the response must contain a <ds:Signature> element.

 

But signing both the assertion and the response is usually overkill unless you believe that the issuer of the assertion is a completely different trusted entity than the sender of the Response message.  I don’t believe that would ever be the case in this profile.

 

I believed the intent was to just sign the Assertion which is what sections 4.2.1 and 4.2.3 were saying.  But Scott’s recollection called that into question.

 

Can you elaborate?       

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

From: Philpott, Robert [mailto:rphilpott@rsasecurity.com]
Sent: Tuesday, April 11, 2006 12:19 PM
To: Ari Kermaier; security-services@lists.oasis-open.org
Subject: RE: [security-services] X509 Authn Attribute Profile erratum?

 

I believe the intro is wrong and that section 4.2.1 is correct.  I recommend changing the phrase:

 

both by signing the <Response> message and through TLS or SSL server authentication.

 

To

 

both by signing the <Assertion> element in the <Response> message and sending the <Response> using TLS or SSL server authentication.

 

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

From: Ari Kermaier [mailto:ari.kermaier@oracle.com]
Sent: Tuesday, April 04, 2006 11:36 AM
To: security-services@lists.oasis-open.org
Subject: [security-services] X509 Authn Attribute Profile erratum?

 

In the overview in Section 4 "Encrypted/Signed Mode" line 194, the profile specifies that the responding IdP MUST sign the <Response>.

 

In Section 4.2.1 "<Response> Usage" line 250 and in Section 4.2.3 "Use of Digital Signatures" line 280 it specifies that the <Assertion> MUST be signed.

 

Which is it?

 

Ari Kermaier

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]