OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] XAdES signatures in SAML v2.0?

On 5/28/13 11:49 AM, "Szabó Áron" <baronsz@freemail.hu> wrote:

>So, my answer is that there is no v2.0 for XMLDSIG, but there is an
>XMLDSIG-based XAdES structure since 2002 (v1.1.1 of ETSI TS 101 903) that
>has to be applied. And also SAML v2.0 should be used. And now, I am a bit
>confused how to use XAdES signatures in SAML v2.0 messages because of
>this requirement:
>"Signatures MUST contain a single <ds:Reference> containing a
>same-document reference to the ID attribute value of the root element of
>the assertion or protocol message being signed."

Yes. That's definitive, and it means you can't do both.

>My suggestion to bypass this problem: can we say, that this requirement
>of SAML v2.0 refers to just the original data-to-be-signed, excluding
>other metadata (that must be also covered by default, as XAdES
>specification says)?

No. A correctly behaving implementation will check the reference count and
will refuse to process the signature if there are two. I grant you that
you could interpret it this way, and with a lot of care, it would be ok,
but this is not what plenty of existing code does. It will break. If we
were to do an errata about this, it would be to clarify this point by
explicitly saying that limiting it to one Reference is acceptable.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]