RE: Note on Digital Signing in SAML

["Mishra, Prateek" <pmishra@netegrity.com>]

Three separate issues here:

(1) Assertions MAY be signed using XML-SIG
(ISSUE: enveloped, enveloping, detached? --- are we ready to make a
recommendation? Do we want to constrain KeyInfo). 

(2) Assertions MUST be signed if the RP receives them from any
intermediary (entity other than AP).

(3) BUT assertions may be embedded within Response/Request
messages. These may also be signed with XML-DSIG (ISSUE: as in
(1) above). Question: If an assertions are contained within
a signed Request/Response pair, can they "inherit" the
super-signature?? Should we support this flexibility or
should we insist that assertions be individually signed?

(4) BUT request/response messages may themselves be embedded
within other payloads (XML, MIME). These payloads may themselves
be signed. Should the contained SAML messages "inherit" the
super-signature?? 
 



>>-----Original Message-----
>>From: christopher ferris [mailto:chris.ferris@east.sun.com]
>>Sent: Saturday, June 30, 2001 7:10 AM
>>To: kelvin.beeck@talkingblocks.com
>>Cc: 'Mishra, Prateek'; 'Evan Prodromou';
>>security-services@lists.oasis-open.org
>>Subject: Re: Note on Digital Signing in SAML
>>
>>
>>Agreed. Often, both signatures are required to establish
>>the authenticity of the assertion.
>>
>>Kelvin Beeck wrote:
>><snip/>
>>> 
>>> It seems to me that assertions would often need to be 
>>signed independent of
>>> a composite signature (as part of the protocol binding) 
>>because issued
>>> assertions usually become the input for other queries (eg. 
>>an authentication
>>> assertion as input to an PDP authorization query) or may be 
>>bound to a
>>> payload.
>>> 
>>> The requirement is based on the trust relationship - i.e. 
>>do I trust an
>>> assertion because I trust the bearer, or do I need to 
>>verify that the
>>> assertion came from the stated issuer (I would think so).
>>