[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Note on Digital Signing in SAML
> D. Super-Signatures and Sub-Messages > ------------------------------------ > > SAML assertions may be embedded within request or response > messages or other XML messages which may be signed. > Request or response messages may themselves be contained > within other messages which are based on other XML messaging > frameworks > (e.g., SOAP) and the composite object may be the > subject of a signature. Another possibility is that SAML > assertions or request/response messages are embedded within > a non-XML messaging object (e.g., MIME package) and signed. > > In such a case, the SAML sub-message (Assertion, request, response) > may be viewed as inheriting a signature from the > "super-signature" over the > enclosing object, provided certain constraints are met. > > (1) An assertion may be viewed as inheriting a signature from > a super signature, provided that the super signature applies > all of the mandatory elements within the assertion. > > (2) A SAML request or response may be viewed as inheriting > a signature from a super signature, provided that the super > signature applies to all of the mandatory elements within the > response. > It seems to me that assertions would often need to be signed independent of a composite signature (as part of the protocol binding) because issued assertions usually become the input for other queries (eg. an authentication assertion as input to an PDP authorization query) or may be bound to a payload. The requirement is based on the trust relationship - i.e. do I trust an assertion because I trust the bearer, or do I need to verify that the assertion came from the stated issuer (I would think so).
Powered by eList eXpress LLC