OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Suggested text for POST profile signature usage

The XML Sig guidelines draft includes a section with non-normative
recommendations on use of signatures in the POST profile (section 5.1.1)

My suggestion for SAML 1.1 is to copy or move this into the bindings and
profiles document to supplement lines 694-695 that call out the
requirement to sign the Response.

In the 1.1 time frame, the language can use "SHOULD", to maintain
compatibility with the lack of requirements in the 1.0 spec. We could
indicate the intent to turn this into a "MUST" in the 2.0 spec to
encourage common implementation in the future.

The advantage of mandating this in the 2.0 spec is that the POST profile
can be made more efficient by allowing the relying party to examine the
signature syntax to determine that the necessary content has been signed
(per the guidelines draft, section 4.3).

Possible text follows to replace the existing lines:

"The SAML response MUST be digitally signed following the guidelines
given in [SAMLCore]. In addition, the response Signature SHOULD be
constructed with a single Reference containing an empty ("") Reference
URI and the Enveloped Signature Transform. Future versions of this
specification may mandate these signature requirements and current
implementers are encouraged to conform to it.

Additional included assertions MAY be digitally signed. The contextual
issues raised in [SigGuidelines] apply to such usage and should be taken
into account when constructing an embedded signature."

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC