OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Discrepancy in SAML Spec

I think/hope that section 5.3 from sstc-saml-core-errata-2.0-wd-06
clears it up by saying that an assertion can 'inherit' a signature
from its containing response element.

5.3  Signature Inheritance
A SAML assertion may be embedded within another SAML element, such as
an enclosing <Assertion>
or a request or response, which may be signed. When a SAML assertion
does not contain a
<ds:Signature> element, but is contained in an enclosing SAML element
that contains a
<ds:Signature> element, and the signature applies to the <Assertion>
element and all its children,
then the assertion can be considered to inherit the signature from the
enclosing element. The resulting
interpretation should be equivalent to the case where the assertion
itself was signed with the same key
and signature options

On Wed, Aug 17, 2011 at 3:09 AM, Bernd Zwattendorfer <zwatte@gmx.net> wrote:
> Hi all,
> I just found a discrepancy in the current published version of the SAML
> 2.0 Profiles specification.
> http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf
> On the one hand, the Web SSO Profile specifies (section, lines
> 553-555):
> "The <Assertion> element(s) in the <Response> MUST be signed, if the
> HTTP POST binding is used."
> On the other hand, section (lines 685-687) defines:
> If the HTTP POST binding is used to deliver the <Response> each
> assertion MUST be protected by a digital signature. This can be
> accomplished by signing each individual <Assertion> element or by
> signing the <Response> element.
> I hope this is the correct mailing list for filing such an issue.
> Best regards,
> Bernd
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]