[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Query submitted to saml.xml.org
thanks Sampo, I think I found him, I'll forward your answer
paul
sampo@symlabs.com wrote:
> Paul Madsen wrote:
>
>> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement
>>
>> Dear Sirs, my name is Gianluca from Italy
>> I'm trying to calculate the Digest value of a SAML Authentication
>> STatement whith the SHA-1 algorithm. Let us suppose that we are dealing
>> with a string representing the following node:
>>
>> <saml:AuthenticationStatement>
>> <saml:Subject>
>> <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier>
>> </saml:Subject>
>> </saml:AuthenticationStatement>
>>
>> When I try to calculate SHA-1 with the function b64_sha1(str2Digest)
>> what
>> exactly should the string str2Digest contain? I mean it should be equal to
>> "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA<
>> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>"
>> or only "GIANLUCA" or ....what else?
>>
>
> Its a pity he did not provide email address, but lets hope this reaches
> him anyway.
>
> 1. There is no univesally agreed way to digest Authentication Statements
> 2. "Universally" agreed way to digest XML in general is exc-c14n (exclusive
> canonicalization) [XML-EXC-C14N]. This method is used by all certified
> SAML implementations. It is also the method used by digital
> signatures [XMLDSIG].
> 3. Canonicalization is difficult and typically 80% of digital signature
> failures derive from canonicalization bugs. Of those 95% are
> XML namespace related (curse the inventor of XML namespaces), and
> 4% are whitespace related.
> 4. For what you are apparently trying to do, it is important to
> digest the entire canonicalized Authentication Statement.
> If the question had been about canonicalizing the NameID, it
> would still be important to digest the entire canonicalized
> Name Identifier as the actual value in isolation is meaningless.
> You need the identifier type and namespace qualification
> for the digest to be meaningful.
>
> [XML-C14N] XML Canonicalization (non-exclusive),
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML
> Version 1.0", W3C Recommendation, 15.3.2001,
> http://www.w3.org/TR/xml-c14n, RFC3076
>
> [XML-EXC-C14N] Exclusive XML Canonicalization,
> http://www.w3.org/TR/xml-exc-c14n/
>
> [XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation,
> 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275
>
> Cheers,
> --Sampo
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]