OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Note on Digital Signing in SAML



> D. Super-Signatures and Sub-Messages
> ------------------------------------
>
> SAML assertions may be embedded within request or response
> messages or other XML messages which may be signed.
> Request or response messages may themselves be contained
> within other messages which are based on other XML messaging
> frameworks
> (e.g., SOAP) and the composite object may be the
> subject of a signature. Another possibility is that SAML
> assertions or request/response messages are embedded within
> a non-XML messaging object (e.g., MIME package) and signed.
>
> In such a case, the SAML sub-message (Assertion, request, response)
> may be viewed as inheriting a signature from the
> "super-signature" over the
> enclosing object, provided certain constraints are met.
>
> (1) An assertion may be viewed as inheriting a signature from
> a super signature, provided that the super signature applies
> all of the mandatory elements within the assertion.
>
> (2) A SAML request or response may be viewed as inheriting
> a signature from a super signature, provided that the super
> signature applies to all of the mandatory elements within the
> response.
>

It seems to me that assertions would often need to be signed independent of
a composite signature (as part of the protocol binding) because issued
assertions usually become the input for other queries (eg. an authentication
assertion as input to an PDP authorization query) or may be bound to a
payload.

The requirement is based on the trust relationship - i.e. do I trust an
assertion because I trust the bearer, or do I need to verify that the
assertion came from the stated issuer (I would think so).



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC