[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] FW: Signing assertions (ERRATA in SAML 1.1).
-----Original Message----- From: Mishra, Prateek Sent: Monday, December 02, 2002 6:23 PM To: 'Eve L. Maler'; Mishra, Prateek Cc: 'ronald monzillo'; jeff.hodges@sun.com Subject: RE: Signing assertions. I would definitely support that. - prateek >>-----Original Message----- >>From: Eve L. Maler [mailto:eve.maler@sun.com] >>Sent: Monday, December 02, 2002 6:19 PM >>To: Mishra, Prateek >>Cc: 'ronald monzillo'; jeff.hodges@sun.com >>Subject: Re: Signing assertions. >> >> >>It would be possible for us to weaken this in SAML 1.1 to a SHOULD or >>MAY if the group agreed, since it would be a backwards-compatible >>change. Should we add this to the list of things to consider? >> >> Eve >> >>Mishra, Prateek wrote: >>> I am afraid I will have to take responsibility for this one. >>> >>> The intent here is to strongly advocate the use of signature >>> when assertions are passing through inter-mediaries. The >>use of "MUST" here >>> is inappropriate, this is really only advice for >>> profile developers. >>> >>> - prateek >>> >>> >>>>>-----Original Message----- >>>>>From: ronald monzillo [mailto:ronald.monzillo@sun.com] >>>>>Sent: Monday, December 02, 2002 5:05 PM >>>>>To: pmishra@netegrity.com; eve.maler; jeff.hodges@sun.com >>>>>Subject: Signing assertions. >>>>> >>>>> >>>>>I found the following in section 5.0 of the SAML core >>>>> >>>>>All other contexts require the use of digital signature for >>>>>assertions >>>>>and request and response messages. 1382 >>>>>Specifically: 1383 >>>>>1. An assertion obtained by a relying party from an entity >>other than >>>>>the asserting party MUST be signed 1384 >>>>>by the asserting party. 1385 >>>>>2. A SAML message arriving at a destination from an entity >>other than >>>>>the originating site MUST be 1386 >>>>>signed by the origin site. 1387 >>>>> >>>>>which seems to require that SAML assertions be signed >>>>>whenever they are >>>>>conveyed by other >>>>>than the authority. I was surpriused to see this as a requirement. >>>>>Although this is not my >>>>>issue, was this the intent of the SAML specification; as it >>>>>seems to say >>>>>"MAY be signed" >>>>>just about everywhere else that the subject of signing >>>>>assertion shows up. >>>>> >>>>>Anyway, if assertions obtained form other that the >>authority must be >>>>>signed, is there somewhere >>>>>in the SAML spec where it says that a RP when presented >>with such an >>>>>assertion, must validate >>>>>the signature on the assertion? >>>>> >>>>>I need to address a related issue in the wss SAML profile. >>>>> >>>>>Thanks, >>>>> >>>>>Ron >>>>> >>>>> >>>>> >>>>>I a >>>>> >>>> >>> >> >>-- >>Eve Maler +1 781 442 3190 >>Sun Microsystems cell +1 781 354 9441 >>Web Technologies and Standards eve.maler @ sun.com >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC