[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Simple Sign not so simple
In recent interop testing we have found several points worth clarifying. 1. Spec says that whitespace inside the XML is preserved. It would be helpful to mention that whitespace before and after the XML should also be preserved. Or else forbid the leading and trailing whitespace. 2. It would be worth mentioning that in addition to the XML document, also the processing instructions, etc. need to be preserved. Or else forbid the <?xml ...> preamble. 3. A stance should be taken on use of UTF-8 encoding (presumably this is the only encoding allowed by the binding). 4. A stance should be taken on the UTF byte order mark (BOM). I think it should be outlawed. 5. Is the SigAlg included in the signed data in URL encoded form or not, i.e. SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 or SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1 6. Handling of following special cases should be clarified a. Response to request that had empty, but present, RelayState. b. Response to request that had no RelayState My reading of the spec as it stands is that in both cases the material that is signed will be SAMLResponse=...&RelayState=&SigAlg=... I.e. the RelayState= label is present in the signature in all cases irrespective of whether the RelayState was supplied in the request. 7. For debugging and also clarification of the material to be signed, the example should have additional section that shows the material that was signed. Cheers, --Sampo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]