OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] FW: Signing assertions (ERRATA in SAML 1.1).

-----Original Message-----
From: Mishra, Prateek 
Sent: Monday, December 02, 2002 6:23 PM
To: 'Eve L. Maler'; Mishra, Prateek
Cc: 'ronald monzillo'; jeff.hodges@sun.com
Subject: RE: Signing assertions.

I would definitely support that. 

- prateek

>>-----Original Message-----
>>From: Eve L. Maler [mailto:eve.maler@sun.com]
>>Sent: Monday, December 02, 2002 6:19 PM
>>To: Mishra, Prateek
>>Cc: 'ronald monzillo'; jeff.hodges@sun.com
>>Subject: Re: Signing assertions.
>>It would be possible for us to weaken this in SAML 1.1 to a SHOULD or 
>>MAY if the group agreed, since it would be a backwards-compatible 
>>change.  Should we add this to the list of things to consider?
>>	Eve
>>Mishra, Prateek wrote:
>>> I am afraid I will have to take responsibility for this one.
>>> The intent here is to strongly advocate the use of signature
>>> when assertions are passing through inter-mediaries. The 
>>use of "MUST" here
>>> is inappropriate, this is really only advice for
>>> profile developers.
>>> - prateek
>>>>>-----Original Message-----
>>>>>From: ronald monzillo [mailto:ronald.monzillo@sun.com]
>>>>>Sent: Monday, December 02, 2002 5:05 PM
>>>>>To: pmishra@netegrity.com; eve.maler; jeff.hodges@sun.com
>>>>>Subject: Signing assertions.
>>>>>I found the following in section 5.0 of the SAML core
>>>>>All other contexts require the use of digital signature for 
>>>>>and request and response messages. 1382
>>>>>Specifically: 1383
>>>>>1. An assertion obtained by a relying party from an entity 
>>other than 
>>>>>the asserting party MUST be signed 1384
>>>>>by the asserting party. 1385
>>>>>2. A SAML message arriving at a destination from an entity 
>>other than 
>>>>>the originating site MUST be 1386
>>>>>signed by the origin site. 1387
>>>>>which seems to require that SAML assertions be signed 
>>>>>whenever they are 
>>>>>conveyed by other
>>>>>than the authority. I was surpriused to see this as a requirement. 
>>>>>Although this is not my
>>>>>issue, was this the intent of the SAML specification; as it 
>>>>>seems to say 
>>>>>"MAY be signed"
>>>>>just about everywhere else that the subject of signing 
>>>>>assertion shows up.
>>>>>Anyway, if assertions obtained form other that the 
>>authority must be 
>>>>>signed, is there somewhere
>>>>>in the SAML spec where it says that a RP when presented 
>>with such an 
>>>>>assertion, must validate
>>>>>the signature on the assertion?
>>>>>I need to address a related issue in the wss SAML profile.
>>>>>I a
>>Eve Maler                                        +1 781 442 3190
>>Sun Microsystems                            cell +1 781 354 9441
>>Web Technologies and Standards               eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC