[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Simple Sign not so simple
In recent interop testing we have found several points worth clarifying.
1. Spec says that whitespace inside the XML is preserved. It would
be helpful to mention that whitespace before and after the
XML should also be preserved. Or else forbid the leading and
trailing whitespace.
2. It would be worth mentioning that in addition to the XML document,
also the processing instructions, etc. need to be preserved. Or
else forbid the <?xml ...> preamble.
3. A stance should be taken on use of UTF-8 encoding (presumably
this is the only encoding allowed by the binding).
4. A stance should be taken on the UTF byte order mark (BOM). I think
it should be outlawed.
5. Is the SigAlg included in the signed data in URL encoded form
or not, i.e.
SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
or
SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1
6. Handling of following special cases should be clarified
a. Response to request that had empty, but present, RelayState.
b. Response to request that had no RelayState
My reading of the spec as it stands is that in both cases
the material that is signed will be
SAMLResponse=...&RelayState=&SigAlg=...
I.e. the RelayState= label is present in the signature in
all cases irrespective of whether the RelayState was supplied
in the request.
7. For debugging and also clarification of the material to be signed,
the example should have additional section that shows the material
that was signed.
Cheers,
--Sampo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]