security-services message

Subject: RE: [security-services] Assertion signing confusion

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Eric Tiffany'" <eric@projectliberty.org>, "'OASIS SSTC'" <security-services@lists.oasis-open.org>
Date: Thu, 1 Mar 2007 14:04:25 -0500

> So this is a general statement about all profiles where assertions and
> signing are concerned.  However, the SAML profile document makes other
> statements which seem to make more strict requirements (sect 4.1.3.5,
> lines
> 497-500).
> 
> " The <Assertion> element(s) in the <Response> MUST be signed, if the HTTP
> POST binding is used, and MAY be signed if the HTTP- Artifact binding is
> used."

This is already fixed in errata.

> I think that this may add to the impression that the <Assertion> element
> itself must be signed.

Yes, that's the point though. If you say you want the assertion signed,
that's what you should get, not the response.

> So I would suggest that clarifying language be added in the Profile
document
> around 4.1.3.5 line 500 indicating that the "signature inheritance" notion
> applies to the <Assertion> element in a POST message --- if that is indeed
> the intent.

We did.

-- Scott

Follow-Ups:
- Re: [security-services] Assertion signing confusion
  - From: Eric Tiffany <eric@projectliberty.org>

References:
- Assertion signing confusion
  - From: Eric Tiffany <eric@projectliberty.org>