OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] XML DSig key info profile

Title: XML DSig key info profile
Good point. I will pick this up.
Would like to get comments from the TC as to the best way of handling this. Any thoughts ? Has anybody implemented this ? What are the issues and what is the least complex approach ?
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Wednesday, December 12, 2001 2:58 PM
To: 'OASIS Security Services group'
Subject: [security-services] XML DSig key info profile

Colleagues - Currently, our XML DSig profile makes no stipulation about the use of keyInfo.

In the SAML SOAP "holder of key" profile, a signature over the SOAP body is included in the SOAP header, along with a SAML assertion that contains the key for validating the (above mentioned) signature.  The assertion must (in turn) be signed.  We have stipulated no way for the signature's keyInfo to reference the assertion.

The "SAML & XML-Signature Syntax and Processing" specification should explain how the keyInfo should reference the assertion.

As the assertion must be signed, the relying party must verify the X.509 data indicated by the keyInfo of the signature on the assertion.  This includes checking that the assertion issuer is the subject of the X.509 data.  The issuer element is of type "string".  So, some guidance must be provided for comparing the issuer string with the value of the "subject" or "subjectAltName" of the X.509 data.

All the best.  Tim.

Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC