[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Signing protocols and assertions
> In saml-core specification 5.4.6 example, Response and Assertion were > signed by using <InclusiveNamespaces>. If I sign those by simply using > exc-c14n without <InclusiveNamespaces> processing, which case will have a > trouble ? In turn, what kind of elements or attributes will make trouble in > SAML? Well, when you sign, you have to ensure that any non-visibly-used namespaces are included or the message is vulnerable to namespace substitution attacks. If you have no such namespaces to worry about, then you don't need to do anything. There's nobody else who can answer that question, it depends on the message. If you have QName data or xsi:types with namespaces that aren't used anywhere else, then you have to deal with it. If you're asking whether an implementation has to be able to verify a signature with that feature, then the answer is certainly yes, it's part of supporting exclusive c14n. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]