[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Please review PE-16 text
Hi Scott, In some cases such as SP-800-63 LoA 3 where non-repudiation is required, signing the message is probably not enough. I can see cases where the assertion is signed then encrypted then the message is signed. I agree that in most cases signing the message is sufficient as long as there is no way to trick a IdP into signing a message containing a SAML assertion. Given that it is current practice win the FICAM and other profiles to sign then encrypt POST responses we may want to be more explicit that you MUST sign the POST message, if the assertion is CBC encrypted. Even if the encrypted assertion is already signed. I suspect that people may read:
To allow just signing inside the encryption. Regards John B. On 2012-01-10, at 12:37 PM, Cantor, Scott wrote:
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]