OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Signatures in protocols (section 3 of core)

ext Scott Cantor wrote:

>Per the note I just sent, I'm trying to wordsmith some new text for the
>generic text in section 3 around <ds:Signature> in the request/response
>I really don't see the logic in the current text, which says that if I get
>an invalid signature, I'm allowed to consider it valid. (Note that this has
>nothing to do with trust, I'm just talking about the crypto.) What possible
>use case would we see for that and why would it be a good thing?
>Instead, I think we should clarify the difference between signature validity
>and trusting the signer, and be more clear about message integrity here.
I agree wholeheartedly with this intention.

>I propose the following text to replace lines 1318-1320:
>"Depending on the requirements of particular protocols or profiles, a SAML
>requester may often need to authenticate itself
Insert: ", "

> and message integrity may
>often be required. Authentication and integrity MAY be provided by 
Insert: "mechanisms provided by"

>protocol binding (see [SAMLBind]). The SAML request MAY be signed, which
>provides both authentication of the requester and message integrity.
I am fine with the MAY if this is not a duplicated requirement from some 
other part of [SAMLCore], otherwise, I think this text should just be 

>If a signature is used, then the <ds:Signature> element MUST be present, and
>the responder MUST verify that the signature is valid (that is, that the
>message has not been tampered with) in accordance with [XMLSig]. If it is
>invalid, then the responder MUST NOT rely on the contents of the request and
>SHOULD respond with an error. If it is valid, then the responder SHOULD
>evaluate the signature to determine the identity of the signer and MAY
>process the request or respond with an error."
Yup - looks good.

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]