OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Discrepancy in SAML Spec

Hi Brian,

thank you for the clarification! Anyway, a reference to this section
might be helpful to avoid further misunderstandings.

Best regards,
Bernd

On 17.08.2011 15:53, Brian Campbell wrote:
> I think/hope that section 5.3 from sstc-saml-core-errata-2.0-wd-06
> clears it up by saying that an assertion can 'inherit' a signature
> from its containing response element.
>
> 5.3  Signature Inheritance
> A SAML assertion may be embedded within another SAML element, such as
> an enclosing <Assertion>
> or a request or response, which may be signed. When a SAML assertion
> does not contain a
> <ds:Signature> element, but is contained in an enclosing SAML element
> that contains a
> <ds:Signature> element, and the signature applies to the <Assertion>
> element and all its children,
> then the assertion can be considered to inherit the signature from the
> enclosing element. The resulting
> interpretation should be equivalent to the case where the assertion
> itself was signed with the same key
> and signature options
>
> On Wed, Aug 17, 2011 at 3:09 AM, Bernd Zwattendorfer <zwatte@gmx.net> wrote:
>> Hi all,
>>
>> I just found a discrepancy in the current published version of the SAML
>> 2.0 Profiles specification.
>> http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf
>>
>> On the one hand, the Web SSO Profile specifies (section 4.1.3.5, lines
>> 553-555):
>> "The <Assertion> element(s) in the <Response> MUST be signed, if the
>> HTTP POST binding is used."
>>
>> On the other hand, section 4.1.4.5 (lines 685-687) defines:
>> If the HTTP POST binding is used to deliver the <Response> each
>> assertion MUST be protected by a digital signature. This can be
>> accomplished by signing each individual <Assertion> element or by
>> signing the <Response> element.
>>
>> I hope this is the correct mailing list for filing such an issue.
>>
>> Best regards,
>> Bernd
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>>
>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]