OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: R: [security-services] SOA-TEL Token Correlation Profile: signatureproblem


Hi Scott,
As you courteously informed me about, SAML is possibly going to be re-profiled, to support the new version of XML signature coming out.
When do you think this will happen? By the first quarter of the next year?
So, could be I informed if the group agrees to consider additional signature profiles that allows portions of the assertion to be excluded?



-----Messaggio originale-----
Da: Scott Cantor [mailto:cantor.2@osu.edu]
Inviato: mercoledì 29 settembre 2010 16.32
A: Rossini Federico; security-services@lists.oasis-open.org
Oggetto: RE: [security-services] SOA-TEL Token Correlation Profile: signature problem

> The IDP signs SAML-Y by putting in the assertion, besides the <transform>
> element which excludes the signature itself, another  <transform> element
to
> exclude the <token-correlated> element.

Signed SAML assertions require a specific signature profile that does not
allow for arbitrary transforms. Your assertions would be rejected by any
correctly implemented off the shelf implementation unless a new profile was
developed, agreed to, and implemented.

Speaking for myself, I have some interest in a revised signature profile,
but it would be based on the eventual XML Signature 2.0 work.

> For the transform element management I refer to paragraph: "6.6.3 XPath
> Filtering" of "XML Signature Syntax and Processing" specification

Just FYI, the v1 XPath filter in XML Signature has been deprecated for years
in favor of the XPath2 Filter transform.

-- Scott



Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]