OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Action A11: XML Signature requirements fo rSOAPProfile

>>> The <dsig:Signature> element MUST apply to all the SAML 
>>assertion elements
>>> in the SOAP <Header>, and all the relevant portions of the 
>>SOAP <Body>, as
>>> required by the application. Specific applications may 
>>require that the
>>> signature also apply to additional elements.
>>Can a message have more than one set of assertions?

Absolutely, there may be multiple assertions in the header.

>>If I'm communicating over a VPN or other strong transport-level secure
>>system, can I omit the signature?  Am I no longer compliant?

Good point. What you are proposing should definitely be supported
by the SOAP profile. I have the following language in the spec:

[SOAP Profile] 

1. The message integrity of a SOAP message sent from 
a sender to a receiver MUST be assurred. Variety of means
can be used to ensure message integrity, e.g., SSL, VPN, 
digital signature etc. 

2. When a receiver processes a SOAP message with attached 
assertions, it MUST make an explicit determination of whether the
sender has the right to possess said assertions. 
Merely obtaining a message from a sender containing assertions 
carries no implication about the senders right to possess and use
the said assertions. Variety of means can be used to make such
a determination, including, for example, authentication of sender,
use of digital signature etc.

Two message formats are RECOMMENDED to address these issues:

HolderOfKey (digital signing, sender == subject)

SenderVouches (digital signing, recipient makes an independent determination
of senders right to possess assertions found in message).

- prateek

>>	/r$
>>Zolera Systems, Securing web services (XML, SOAP, Signatures,
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC