OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] XML Sig issues w/ SAML

> So what we really should be using is some mechanism that 
> ensures that every prefix is expanded out to the URI it 
> references. This would not be well formed XML but it would be 
> cannonical and the inclusive / exclusive bit would be solved.

Why not go the extra yard and define a c14n algorithm that expands the
prefixes, and then reassigns them when generating the bytes so that you
end up with well-formed XML? Then you don't need a new parser.

>I would like to profile the use of transformations very closely. This
>then allow verifiers to reject signatures because the transforms
>are too complex.
>It would also allow this mode of processing:
>1) Extract the signature node [if doing enveloped]
>2) Verify that node contains only the understood transformation(s)
>3) Verify that the Id reference points to the expected object
>4) Verify the signature

That loosely equates with option (1) I proposed, fixing the Transforms
element in SAML so that verification doesn't require re-examining the
input node set. To avoid XPath, we have to support ID and XLink.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC