OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] XAdES signatures in SAML v2.0?

On 5/29/13 6:05 AM, "Szabó Áron" <baronsz@freemail.hu> wrote:
>OK, I understand your reasons: keeping backward
>compatibility/interoperability is important thing, such modifications can
>not be done in this version of the standard.

At this point, I don't see any viable way for them to be done at all.
There are no plans for any breaking changes in the standard, and I don't
think there's any support for doing that.

Extensions are always possible, and don't require revising the standard,
but they do require that anybody supporting an extension modify code to do
so. But that's the appropriate, indeed the only, way forward.

>On the other hand, I forgot to mention an additional information about
>XAdES specification which would be perhaps interesting if any
>modification could happen in the future (errata, SAML v2.1 etc.). In the
>XAdES-structure this additional ds:Reference element (the reason of
>problem) is unambiguously identified as the protection of metadata (and
>not the protection of data-to-be-signed). This would make the enumeration
>and classification of ds:Reference elements easier for software

I believe that implementing support for a second Reference if it were
well-defined and limited would be possible safely. But the only way to
make that work will be to elide the existing signature and embed one in an

>Perhaps, it would be worth if experts responsible for OASIS SAML could
>discuss this problem with experts responsible for ETSI XAdES.

The above is what I would say if somebody asked. It's also how I would
have addressed compatibility with Signature 2.0.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]