[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Minutes minutes SSTC/SAML concall Tue21-Oct-2008
> > In other words, I'm told that it's left open in > XMLSignature for a reason, > > and it's not clear to me why we have any better reason to > constrain it than > > we would for the XML encoding. Scott: What's the reason that you're told it's left open in XML-DSIG? > > The reason for specifying the encoding is quite clear to me at least. > If the SAML issuer is allowed to bind an arbitrarily encoded X.509 > certificate to a HoK assertion, the relying party has no way of > determining what encoding was used, and therefore the relying party is > unable to confirm the subject. If a particular community/federation uses a certificate encoding other than DER, what option do they have open to them if DER is REQUIRED? I suppose they could create a new profile, but it seems odd to do that just to specify a different certificate encoding. In general, though, this is a potential interop problem that we should try to solve, IMO. I guess we don't want to do something like extending the ds:X509Certificate element to add an Encoding attribute? > > > Alternatively, I guess I'd be in favor of making this a RECOMMENDED > > encoding, but doing that in SAML core itself, rather than > requiring every > > profile that touches this element to repeat it. > > Right, which is the same language I used in the HoK Assertion Profile > with respect to DNs, but not because I wanted to. I would much rather > specify a DN MUST conform to RFC2253 (or RFC4515). There's too much > variability in DN string formats to leave this open. I guess RECOMMENDED is the way to go. ::Ari -- Oracle <http://www.oracle.com> Ari Kermaier | Senior Software Development Manager | Phone: +1 212 303 7568 Oracle Oracle Identity Management Product Development 540 Madison Avenue, 4th Floor | New York, NY 10022 Green Oracle <http://www.oracle.com/commitment> Oracle is committed to developing practices and products that help protect the environment
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]