OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] (ex / non ex) canonical XML

One of the results of XPath Filter being difficult/slow, along with the absence of ID attributes, was that many implementers of SAML 1.0 just refused to do it, and assumed that other implementations would just "know" what the target of the signature was supposed to be from semantic context. This had the effect of hurting interoperability with implementations that used general purpose XML signature libraries, rather than signature implementations geared specifically to SAML 1.0.

::Ari

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Tuesday, March 14, 2006 2:34 PM
> To: 'Brian Campbell'; saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] (ex / non ex) canonical XML
> 
> 
> We copied the actual signing profile from Liberty ID-FF 1.1, 
> which correctly
> identified the need for a signature profile.
> 
> One of the reasons is c14n, but that's not the big one. The 
> real issue in
> SAML 1.0 was the lack of ID attributes. Nobody involved knew 
> enough about
> dsig to understand that XPath signing is terrible. To ease the job of
> implementers, we needed to profile the reference and transforms into a
> constrained set so people didn't have to grok anything to 
> figure out what
> was signed.
> 
> That was the key fix, but also the break in compatibility.
> 
> As to your question, signing just doesn't work interoperably 
> in SAML 1.0, so
> that's the basic answer.
> 
> -- Scott
> 
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on 
> implementing the SAML OASIS Standard. To minimize spam in the
> archives, you must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/saml-dev/
> Committee homepage: http://www.oasis-open.org/committees/security/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]