[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] SAML XML digital signature guidelines vs. Liberty
I read through the SAML XML dsig guidelines doc with an eye to compare it to the new signature requirements in Liberty 1.1. I didn't see any obvious problems. Jeff asked me to send this note to security-services with the information. It's maybe worth noting that Liberty 1.1 is using a stricter set of requirements: (a) We have extended SAML to allow an ID attribute so a simple URI fragment can be used (see section 3.1) (b) We have mandated support for exclusive C14N (see section 2) (c) We are somewhat silent on 4.1 vs 4.2 vs 4.3. However, we have language to explicitly allow implementers to choose 4.3; we say that if the signer uses transforms other than the ones we list, the verifier MAY refuse to verify the signature. This allows for any hypothetical extensions to remain somewhat compatible while still not requiring verifiers to implement 4.1 or 4.2, which can be somewhat complex. None of these differences really seem to be that big of a deal. Note that Liberty has already extended the SAML schema in numerous places, so the additional ID attribute was not much of a problem. The SAML document goes into much more detail on the issues than I thought we should put into the Liberty spec, and it's probably worth pointing people to if they have questions about how Liberty does signatures.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC