[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Discrepancy in SAML Spec
Hi Brian, thank you for the clarification! Anyway, a reference to this section might be helpful to avoid further misunderstandings. Best regards, Bernd On 17.08.2011 15:53, Brian Campbell wrote: > I think/hope that section 5.3 from sstc-saml-core-errata-2.0-wd-06 > clears it up by saying that an assertion can 'inherit' a signature > from its containing response element. > > 5.3 Signature Inheritance > A SAML assertion may be embedded within another SAML element, such as > an enclosing <Assertion> > or a request or response, which may be signed. When a SAML assertion > does not contain a > <ds:Signature> element, but is contained in an enclosing SAML element > that contains a > <ds:Signature> element, and the signature applies to the <Assertion> > element and all its children, > then the assertion can be considered to inherit the signature from the > enclosing element. The resulting > interpretation should be equivalent to the case where the assertion > itself was signed with the same key > and signature options > > On Wed, Aug 17, 2011 at 3:09 AM, Bernd Zwattendorfer <zwatte@gmx.net> wrote: >> Hi all, >> >> I just found a discrepancy in the current published version of the SAML >> 2.0 Profiles specification. >> http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf >> >> On the one hand, the Web SSO Profile specifies (section 4.1.3.5, lines >> 553-555): >> "The <Assertion> element(s) in the <Response> MUST be signed, if the >> HTTP POST binding is used." >> >> On the other hand, section 4.1.4.5 (lines 685-687) defines: >> If the HTTP POST binding is used to deliver the <Response> each >> assertion MUST be protected by a digital signature. This can be >> accomplished by signing each individual <Assertion> element or by >> signing the <Response> element. >> >> I hope this is the correct mailing list for filing such an issue. >> >> Best regards, >> Bernd >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org >> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]