[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] XAdES signatures in SAML v2.0?
Hi, OK, I understand your reasons: keeping backward compatibility/interoperability is important thing, such modifications can not be done in this version of the standard. On the other hand, I forgot to mention an additional information about XAdES specification which would be perhaps interesting if any modification could happen in the future (errata, SAML v2.1 etc.). In the XAdES-structure this additional ds:Reference element (the reason of problem) is unambiguously identified as the protection of metadata (and not the protection of data-to-be-signed). This would make the enumeration and classification of ds:Reference elements easier for software developers. "Additionally, the present document MANDATES the use of the Type attribute of this particular ds:Reference element, with its value set to: http://uri.etsi.org/01903#SignedProperties [...]" http://www.etsi.org/deliver/etsi_ts/101900_101999/101903/01.04.02_60/ts_101903v010402p.pdf Perhaps, it would be worth if experts responsible for OASIS SAML could discuss this problem with experts responsible for ETSI XAdES. Best regards, Aron --- "Cantor, Scott" <cantor.2@osu.edu> írta: >On 5/28/13 11:49 AM, "Szabó Áron" <baronsz@freemail.hu> wrote:> > >So, my answer is that there is no v2.0 for XMLDSIG, but there is an> >XMLDSIG-based XAdES structure since 2002 (v1.1.1 of ETSI TS 101 903) that> >has to be applied. And also SAML v2.0 should be used. And now, I am a bit> >confused how to use XAdES signatures in SAML v2.0 messages because of> >this requirement:> >> >"Signatures MUST contain a single <ds:Reference> containing a> >same-document reference to the ID attribute value of the root element of> >the assertion or protocol message being signed."> > Yes. That's definitive, and it means you can't do both.> > >My suggestion to bypass this problem: can we say, that this requirement> >of SAML v2.0 refers to just the original data-to-be-signed, excluding> >other metadata (that must be also covered by default, as XAdES> >specification says)?> > No. A correctly behaving implementation will check the reference count and> will refuse to process the signature if there are two. I grant you that> you could interpret it this way, and with a lot of care, it would be ok,> but this is not what plenty of existing code does. It will break. If we> were to do an errata about this, it would be to clarify this point by> explicitly saying that limiting it to one Reference is acceptable.> > -- Scott> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]