Simple Sign not so simple

[sampo@symlabs.com]

In recent interop testing we have found several points worth clarifying.

1. Spec says that whitespace inside the XML is preserved. It would
   be helpful to mention that whitespace before and after the
   XML should also be preserved. Or else forbid the leading and
   trailing whitespace.

2. It would be worth mentioning that in addition to the XML document,
   also the processing instructions, etc. need to be preserved. Or
   else forbid the <?xml ...> preamble.

3. A stance should be taken on use of UTF-8 encoding (presumably
   this is the only encoding allowed by the binding).

4. A stance should be taken on the UTF byte order mark (BOM). I think
   it should be outlawed.

5. Is the SigAlg included in the signed data in URL encoded form
   or not, i.e.

     SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

   or

     SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1

6. Handling of following special cases should be clarified
   a. Response to request that had empty, but present, RelayState.
   b. Response to request that had no RelayState

   My reading of the spec as it stands is that in both cases
   the material that is signed will be

     SAMLResponse=...&RelayState=&SigAlg=...

   I.e. the RelayState= label is present in the signature in
   all cases irrespective of whether the RelayState was supplied
   in the request.

7. For debugging and also clarification of the material to be signed,
   the example should have additional section that shows the material
   that was signed.

Cheers,
--Sampo