OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] SAML XML digital signature guidelines vs. Liberty


I read through the SAML XML dsig guidelines doc with an eye to compare 
it to the new signature requirements in Liberty 1.1.  I didn't see any 
obvious problems.  Jeff asked me to send this note to security-services 
with the information.  It's maybe worth noting that Liberty 1.1 is 
using a stricter set of requirements:

(a) We have extended SAML to allow an ID attribute so a simple URI 
fragment can be used (see section 3.1)
(b) We have mandated support for exclusive C14N (see section 2)
(c) We are somewhat silent on 4.1 vs 4.2 vs 4.3.  However, we have 
language to explicitly allow implementers to choose 4.3; we say that if 
the signer uses transforms other than the ones we list, the verifier 
MAY refuse to verify the signature.  This allows for any hypothetical 
extensions to remain somewhat compatible while still not requiring 
verifiers to implement 4.1 or 4.2, which can be somewhat complex.

None of these differences really seem to be that big of a deal.  Note 
that Liberty has already extended the SAML schema in numerous places, 
so the additional ID attribute was not much of a problem.

The SAML document goes into much more detail on the issues than I 
thought we should put into the Liberty spec, and it's probably worth 
pointing people to if they have questions about how Liberty does 
signatures.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC