OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] x509 Authn-based Profile

> Well, the profile is written such that it does not rely on 
> SOAP binding mechanisms to authenticate, assure integrity, 
> etc... for the variious protocol message exhanges. Therefore 
> the Request must be signed. However, I was assuming that 
> since the Assertion has to be signed, there would be no need 
> for the Response to be signed (since the Assertion contains 
> everything the Response has). If both need to be signed for 
> some reason, then the signing section should discuss this as well.

Aside from general layering considerations, the Response does have message
correlation and replay protection in it, as well as any additional status.

Not that I'm advocating signing, I'd use TLS, but if you want a permananent
audit trail of the protocol, I think the response ought to be signed.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]