OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [XML Signature] DSig-01

You may be right, but I'm not sure.  Actually we may both be right!

>What is SOAP's way of signign?  Is it the W3C Note on SOAP Security?  If
>so, I think there's a good chance it will end up being only marginally
>useful -- it provides a way to carry a signature when the application
>itself doesn't provide one. Who is going to use that?

Well, if we take e-business, I don't see the point in having a Signature
element in every business messages (are such *applications* BTW?).
It seems simpler (or at least much cleaner) to keep business contents
free from security "junk".  I'm sure MSFT and IBM thought of that when they
did this note (probably based on the formula: e-business = mainstream).

In my opinion an assertion is just another "business message" (it is in OBI V4),
but you may naturally see this differently.  Or does the signature have a
closer "relation" to the assertion in SAML, than a signature enclosing
a Purchase Order has?

>Either the application cares about the signature, in which case it should "leave
>space" in its XML schemata, or it doesn't care and the SOAP system will
>be doing signature validation, in which case it's probably good enough
>to use SSL/TLS.

Well, the SAML Signature element is *optional* (for reasons we all
know of...) so in which way is this different than having an optionally
enclosing container?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC