OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: AI (partial): XML Sig processing rules


As I expected, I haven't had time to formulate a complete proposal yet, but as a harbinger, I'd like to summarize the Liberty 1.1
spec language in section 3.1.5 of protocols/schemas, which describes rules for signature processing.

They are essentially what I would propose we adopt for SAML, now that ID attributes are present. Almost all of the stuff I wrote in
the guidelines draft is either background material to explain issues, or obsolete because the ID attributes solve the "how to
reference a fragment" problem.

Basically, the rules are:

Signers MUST use a URI fragment (referred to in the spec as a bare XPointer) to point to the Request/Response/Assertion being
signed, using its ID attribute. This looks like <Reference URI="#foo"> where foo is the value of the ID.

Signers MUST NOT assume that the signed XML is at the root of the eventual document (but this could be relaxed for profiles that
mandate it).

Signers SHOULD NOT use Transforms other than:

Enveloped Signature
Exclusive XML Canonicalization

Receivers MAY reject messages that use other transforms. Receivers MUST NOT accept other transforms unless they verify that none of
the SAML data is excluded from the Reference.

Signers SHOULD use Exclusive C14N in the SignedInfo C14NMethod.

These rules are simple, use only mandatory parts of the spec (except for Excl C14N, which is a necessary piece regardless), and
should solve the interop problems.

I recommend that we simply adopt the rules without regard for the 1.0 spec language or compatibility, since there was no real
interop possible with those rules. I've barely been able to maintain interop with myself in Shibboleth! ;-)

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]