saml-dev message

Subject: Re: [saml-dev] XML signature validation question

From: "Cantor, Scott" <cantor.2@osu.edu>
To: "Pim van der Eijk (Lists)" <lists@sonnenglanz.net>, "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Date: Fri, 13 Jan 2017 17:07:08 +0000

On 1/13/17, 12:01 PM, "Pim van der Eijk (Lists)" <lists@sonnenglanz.net> wrote:

> The XML Signature specification does not actually explicitly 
> impose this ordering constraint on chains, which is an omission.  

It's a fatal one, in this particular case, which I may not have emphasized sufficiently. Given no profile imposing that constraint, the inability to know which actual key was meant as a verification key by the metadata creates a security risk if you tried to apply the key material. It would essentially risk allowing the CA to act as the IdP or SP, which it obviously is not.

-- Scott

References:
- XML signature validation question
  - From: Peter Major <peter.major@forgerock.com>
- Re: [saml-dev] XML signature validation question
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [saml-dev] XML signature validation question
  - From: "Pim van der Eijk (Lists)" <lists@sonnenglanz.net>