OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [XML Signature] Issues on Core 19 & Others

Hi all,

	As there are no formal XML Signature sub-group, I would like to pick the
brains of the whole TC ! Here are some of the issues I would like all of us
to think and get feedback on. (Of course, I am working on them, asking
questions to folks, scratching my head, reading specifications, ....) :

	1.	Signing Assertion
		Proposed : An Issuer MAY sign an assertion.
		Issues: Would need an element
		<element ref="ds:Signature" minOccurs="0" maxOccurs="1"/>
		in Assertion AbstractionType Line 247.1

		The Signature will be an Enveloped Signature as per the XML Signature
specification. There is an issue of support for multiple signatures, which I
plan to research thru. Would appreciate feedback.

	2.	Is there a rationale for *separate* single and multiple assertions ?
Isn't SingleAssertion a MultipleAssertion with one assertion ? Can we
collapse the SingleAssertion and MultipleAssertion elements to one type with
minOccurs=1. There is no meaning having an assertion without an assertion
type !

	3.	 Signing Multiple Assertions:
		 Do we have a structure to envelope multiple separate assertions ?

	4.	Associating Payload:
		Is there a way for a payload assertion ? i.e. make an assertion saying
that PO is mine. May be this is an attribute assertion the attribute being
the hash of the payload. This almost the same as a detached signature.

		There are a few issues here as well:

		a)	ebXML and RosettaNet has a document model and so the object of signing
would be a MIME part
		b)	SOAP Payload is an XML fragment and so the object could be an XPath or
an XPointer (?)

		Is Payload signature a binding issue or a "core" issue ?

	5.	Of course, the "core" has the SAMLRequest and SAMLResponse.	Does it make
sense to add the
				<element ref="ds:Signature" minOccurs="0" maxOccurs="1"/>
		to Request (Line 800.1) and Response (Line 973.1) ?

	Just as FYI, I am also going thru the discussions on Signature in the TC


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC