[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Action A11: XML Signature requirements fo rSOAPProfile
>> >> >>> The <dsig:Signature> element MUST apply to all the SAML >>assertion elements >>> in the SOAP <Header>, and all the relevant portions of the >>SOAP <Body>, as >>> required by the application. Specific applications may >>require that the >>> signature also apply to additional elements. >> >>Can a message have more than one set of assertions? Absolutely, there may be multiple assertions in the header. >> >>If I'm communicating over a VPN or other strong transport-level secure >>system, can I omit the signature? Am I no longer compliant? Good point. What you are proposing should definitely be supported by the SOAP profile. I have the following language in the spec: [SOAP Profile] 1. The message integrity of a SOAP message sent from a sender to a receiver MUST be assurred. Variety of means can be used to ensure message integrity, e.g., SSL, VPN, digital signature etc. 2. When a receiver processes a SOAP message with attached assertions, it MUST make an explicit determination of whether the sender has the right to possess said assertions. Merely obtaining a message from a sender containing assertions carries no implication about the senders right to possess and use the said assertions. Variety of means can be used to make such a determination, including, for example, authentication of sender, use of digital signature etc. Two message formats are RECOMMENDED to address these issues: HolderOfKey (digital signing, sender == subject) SenderVouches (digital signing, recipient makes an independent determination of senders right to possess assertions found in message). - prateek >> /r$ >>-- >>Zolera Systems, Securing web services (XML, SOAP, Signatures, >>Encryption) >>http://www.zolera.com >> >>---------------------------------------------------------------- >>To subscribe or unsubscribe from this elist use the subscription >>manager: <http://lists.oasis-open.org/ob/adm.pl> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC