OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] XAdES signatures in SAML v2.0?


OK, I understand your reasons: keeping backward compatibility/interoperability is important thing, such modifications can not be done in this version of the standard.

On the other hand, I forgot to mention an additional information about XAdES specification which would be perhaps interesting if any modification could happen in the future (errata, SAML v2.1 etc.). In the XAdES-structure this additional ds:Reference element (the reason of problem) is unambiguously identified as the protection of metadata (and not the protection of data-to-be-signed). This would make the enumeration and classification of ds:Reference elements easier for software developers.

"Additionally, the present document MANDATES the use of the Type attribute of this particular ds:Reference element, with its value set to: http://uri.etsi.org/01903#SignedProperties [...]"


Perhaps, it would be worth if experts responsible for OASIS SAML could discuss this problem with experts responsible for ETSI XAdES.

Best regards,


"Cantor, Scott" <cantor.2@osu.edu> írta:
>On 5/28/13 11:49 AM, "Szabó Áron" <baronsz@freemail.hu> wrote:>
>So, my answer is that there is no v2.0 for XMLDSIG, but there is an>
>XMLDSIG-based XAdES structure since 2002 (v1.1.1 of ETSI TS 101 903) that>
>has to be applied. And also SAML v2.0 should be used. And now, I am a bit>
>confused how to use XAdES signatures in SAML v2.0 messages because of>
>this requirement:>
>"Signatures MUST contain a single <ds:Reference> containing a>
>same-document reference to the ID attribute value of the root element of>
>the assertion or protocol message being signed.">
Yes. That's definitive, and it means you can't do both.>
>My suggestion to bypass this problem: can we say, that this requirement>
>of SAML v2.0 refers to just the original data-to-be-signed, excluding>
>other metadata (that must be also covered by default, as XAdES>
>specification says)?>
No. A correctly behaving implementation will check the reference count and>
will refuse to process the signature if there are two. I grant you that>
you could interpret it this way, and with a lot of care, it would be ok,>
but this is not what plenty of existing code does. It will break. If we>
were to do an errata about this, it would be to clarify this point by>
explicitly saying that limiting it to one Reference is acceptable.>
-- Scott>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]