OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] WantsAuthnRequestSigned and AuthnRequestsSigned attributes

> Hi. In the metadata there is support for whether AuthnRequest 
> messages should be signed or not (from a requester and 
> responder perspective) using the WantsAuthnRequestSigned and 
> AuthnRequestsSigned attributes. It seems incomplete that this 
> does not extend to all protocol requests and protocol 
> responses. I.e., 

Because SSO is a special case in which some kinds of signing are essentially
optional in many deployments and might depend on the use case. Signing a
request is often optional depending on how important the content is. Signing
assertions isn't required when using artifact, so having the flag insures
that the SP can ask for that.

In every other profile, the options don't really exist, with the possible
exception of queries.

> And these would somehow be associated with an endpoint. So 
> for example, SOAP messages may disable protocol message 
> signing (since the binding typically would provide this 
> capability). Whereas HTTP-based binding would require this.

That's the point, they already do require it by definition in the profiles.
In SOAP, authentication is required with most of those profiles, but we
don't dictate how, and signing is only one way. We'd have to cover every
possible way, and since we're not going to do that, I don't think we should
even start.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]