OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Signing protocols and assertions

> In saml-core specification 5.4.6 example, Response and Assertion were
> signed by using <InclusiveNamespaces>. If I sign those by simply using
> exc-c14n without <InclusiveNamespaces> processing, which case will have a
> trouble ? In turn, what kind of elements or attributes will make trouble

Well, when you sign, you have to ensure that any non-visibly-used namespaces
are included or the message is vulnerable to namespace substitution attacks.
If you have no such namespaces to worry about, then you don't need to do
anything. There's nobody else who can answer that question, it depends on
the message. If you have QName data or xsi:types with namespaces that aren't
used anywhere else, then you have to deal with it.

If you're asking whether an implementation has to be able to verify a
signature with that feature, then the answer is certainly yes, it's part of
supporting exclusive c14n.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]