OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AI 0027, proposed signature note text

Here is some possible new text for the Note 
(Action item 27, http://www.oasis-open.org/apps/org/workgroup/security/members/action_item.php?action_item_id=80 )


* Unless a profile specifies an alternative signature mechanism, enveloped XML Digital Signatures
are to be used.  

* A digital signature is NOT always required in SAML. It is useful to characterize these situations.

* In some circumstances signatures may be "inherited", such as an unsigned assertion 
"inheriting" signature benefits from a signature on the containing message. "Inherited" signatures 
should be used with care when the contained object (such as the assertion) is intended to have a 
lifetime. The reason is that the entire context must be retained for validation, 
exposing the messaging content and adding potentially unnecessary overhead.

* Profiles may specify alternative signature mechanisms such as S/MIME or signed Java objects that 
contain SAML documents. Caveats about retaining context and interoperability apply.  XML Signatures 
are intended to be the primary SAML signature mechanism, but the specifications attempt to 
ensure compatability with profiles that may require other digital signing mechanisms. 

regards, Frederick
Frederick Hirsch
Nokia Mobile Phones

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]