OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [XML Signature] Issues on Core 19 & Others

I agree with the questions about the meaning/function of multiple 
assertions.  If we can't motivate them with native-SAML use cases, we may 
want to look seriously at pulling back a bit.

If I'm understanding correctly, Phill has been promoting this structure in 
order to allow for interesting applications built on top of SAML, which is 
a legitimate data point.  I wonder if there isn't a more useful solution:

Make the native SAML assertion be "singular" in nature (containing a single 
statement), and then allow applications to extend the assertion datatype by 
adding additional statements on the end.  In extremely informal DTDish 
notation, the native assertion type would do this:

   assertion ->
   (meta-stuff, (stmt|subjstmt|authnstmt|authzstmt|attstmt))

And the extensions you could create might look like this:

   my-extended-assertion ->
   (everything-above, (stmt|subjstmt|authnstmt|authzstmt|attstmt)*)

(Sorry, I'm multitasking at the moment and don't trust myself to get an XML 
Schema version right.  I will try to follow up with more specific code.)

This would ensure that SAML's semantics for singular assertions are clear, 
and that while extensions might pick up on native *statement* semantics, 
they're on their own as regards any "multiples" semantics.


At 12:12 PM 10/5/01 -0400, Hal Lockhart wrote:
> >               The Signature will be an Enveloped Signature as
> > per the XML Signature
> > specification. There is an issue of support for multiple
> > signatures, which I
> > plan to research thru. Would appreciate feedback.
>What would the semantics of multiple signatures be? We should decide what we
>need to do first and then how to do it.
> >       2.      Is there a rationale for *separate* single and
> > multiple assertions ?
> > Isn't SingleAssertion a MultipleAssertion with one assertion ? Can we
> > collapse the SingleAssertion and MultipleAssertion elements
> > to one type with
> > minOccurs=1. There is no meaning having an assertion without
> > an assertion
> > type !
>I agree with the (implied) suggestion.
> >       3.      Signing Multiple Assertions:
> >               Do we have a structure to envelope multiple
> > separate assertions ?
>I think it is going to be a lot more convenient for relying parties to sign
>each assertion individually. I know there is an performance cost issue, but
>it can be helped by reusing assertions. Separate signatures actually help
>this, as one assertion can be reused, even if another has to be generated
>and signed on demand. For example a static AuthN Assrt and dynamic Attr
> >       4.      Associating Payload:
> >               Is there a way for a payload assertion ? i.e.
> > make an assertion saying
> > that PO is mine. May be this is an attribute assertion the
> > attribute being
> > the hash of the payload. This almost the same as a detached signature.
>Start by assuming that the payload must be signed by the subject. I guess
>this could be debated, but if not then either anybody can forge the payload,
>or the function of being an Asserting Party and being a generator of
>transactions gets folded into a single trust point.
>I think the result of discussions at the face to face and Bob B's powerpoint
>published imediately after was that tying a payload to an assertion can be
>done by putting the subject's public key in the Subject Confirmation.
>The point is that whether the Issing party blesses every individual payload
>generated by the subject or blesses the subject's key, all it is really
>vouching for is that the payload came from the subject, not anything about
>the contents of the payload.
>Once this is recognized, it becomes clear that there is no real advantage
>for the issuer to bind the assertion to every payload. The disadvantage is
>that a new assertion is required for every transaction.
> >               There are a few issues here as well:
> >
> >               a)      ebXML and RosettaNet has a document
> > model and so the object of signing
> > would be a MIME part
> >               b)      SOAP Payload is an XML fragment and so
> > the object could be an XPath or
> > an XPointer (?)
> >
> >               Is Payload signature a binding issue or a "core" issue ?
>Signing the payload itself by the subject is not a SAML requirement at all.
> >
> >       5.      Of course, the "core" has the SAMLRequest and
> > SAMLResponse. Does it make
> > sense to add the
> >                               <element ref="ds:Signature"
> > minOccurs="0" maxOccurs="1"/>
> >               to Request (Line 800.1) and Response (Line 973.1) ?
>I remember we discussed that Requests should be authenticatable, especially
>in environments, e.g. Shib, where assertion contents depend on who is
>asking. I don't recall any argument for signing responses, but there seems
>little harm in including the possibility in the schema. I would hope that
>the mandatory to implement profiles would not use this signature.
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC