OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] role of public key in encrypted assertion

Thanks for the quick reply, Scott!

* Cantor, Scott <cantor.2@osu.edu> [2012-11-04 16:05]:
> On 11/3/12 9:36 PM, "Peter Schober" <peter.schober@univie.ac.at> wrote:
> >This message (that's all of it) seems to imply that the incriminated key
> >at:
> >/Response/EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedK
> >ey/ds:KeyInfo/ds:X509Data/ds:X509Certificate
> >should be the IdP's public key.
> Nope.
> >From glancing over XMLenc (section 3.5.1) and section 3.2.2 of the old
> >"SAML Implementation Guidelines" (returned by $searchengine) I
> >conclude that the SP's public key is included in order to inform the
> >SP which of its keys had been used to encrypt the payload (encryption
> >key).
> Yep.
> >Furthermore my guess is that the SP's tech-c (writing the above to me)
> >is mistaken and thinks of (unencrypted) XMLsig, where it would make
> >sense to include the issuer's public key in order to aid the SP in
> >verifying the issuer's signature.
> They'd both be there most likely but in different places in the message.
> If the response weren't signed, then the IdP's key won't appear anywhere
> until the encrypted assertion were decrypted. If it was, then both would
> be visible prior to decryption.

Yeah, the assertion is signed but not the response, so the IdP's key
isn't yet visible.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]