OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Note on Digital Signing in SAML (re-send)


The previous message was incomplete! Here is the complete message:
------------------------------------------------------------------

Four separate issues here:

(1) Assertions MAY be signed using XML-SIG
(ISSUE: enveloped, enveloping, detached? --- are we ready to 
make a recommendation? Do we want to constrain KeyInfo). 

(2) Assertions MUST be signed if the RP receives them from any
intermediary (entity other than AP).

(3) BUT assertions may be embedded within Response/Request
messages. These may also be signed with XML-DSIG (ISSUE: as in
(1) above). Question: If an assertions are contained within
a signed Request/Response pair, can they "inherit" the
super-signature?? Should we support this flexibility or
should we insist that assertions be individually signed?

(4) BUT request/response messages may themselves be embedded
within other payloads (XML, MIME). These payloads may themselves
be signed. Should the contained SAML messages "inherit" the
super-signature?? 


RESOLUTIONS:

(A) Do not consider any signature inheritance notion for
SAML messages or assertions. 

(B) Include signature inheritance upto (3), do not include
(4).

(C) Support full inheritance upto (4).



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC