[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Assertion signing confusion
> So this is a general statement about all profiles where assertions and > signing are concerned. However, the SAML profile document makes other > statements which seem to make more strict requirements (sect 4.1.3.5, > lines > 497-500). > > " The <Assertion> element(s) in the <Response> MUST be signed, if the HTTP > POST binding is used, and MAY be signed if the HTTP- Artifact binding is > used." This is already fixed in errata. > I think that this may add to the impression that the <Assertion> element > itself must be signed. Yes, that's the point though. If you say you want the assertion signed, that's what you should get, not the response. > So I would suggest that clarifying language be added in the Profile document > around 4.1.3.5 line 500 indicating that the "signature inheritance" notion > applies to the <Assertion> element in a POST message --- if that is indeed > the intent. We did. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]