[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Query submitted to saml.xml.org
thanks Sampo, I think I found him, I'll forward your answer paul sampo@symlabs.com wrote: > Paul Madsen wrote: > >> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement >> >> Dear Sirs, my name is Gianluca from Italy >> I'm trying to calculate the Digest value of a SAML Authentication >> STatement whith the SHA-1 algorithm. Let us suppose that we are dealing >> with a string representing the following node: >> >> <saml:AuthenticationStatement> >> <saml:Subject> >> <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier> >> </saml:Subject> >> </saml:AuthenticationStatement> >> >> When I try to calculate SHA-1 with the function b64_sha1(str2Digest) >> what >> exactly should the string str2Digest contain? I mean it should be equal to >> "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA< >> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>" >> or only "GIANLUCA" or ....what else? >> > > Its a pity he did not provide email address, but lets hope this reaches > him anyway. > > 1. There is no univesally agreed way to digest Authentication Statements > 2. "Universally" agreed way to digest XML in general is exc-c14n (exclusive > canonicalization) [XML-EXC-C14N]. This method is used by all certified > SAML implementations. It is also the method used by digital > signatures [XMLDSIG]. > 3. Canonicalization is difficult and typically 80% of digital signature > failures derive from canonicalization bugs. Of those 95% are > XML namespace related (curse the inventor of XML namespaces), and > 4% are whitespace related. > 4. For what you are apparently trying to do, it is important to > digest the entire canonicalized Authentication Statement. > If the question had been about canonicalizing the NameID, it > would still be important to digest the entire canonicalized > Name Identifier as the actual value in isolation is meaningless. > You need the identifier type and namespace qualification > for the digest to be meaningful. > > [XML-C14N] XML Canonicalization (non-exclusive), > http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML > Version 1.0", W3C Recommendation, 15.3.2001, > http://www.w3.org/TR/xml-c14n, RFC3076 > > [XML-EXC-C14N] Exclusive XML Canonicalization, > http://www.w3.org/TR/xml-exc-c14n/ > > [XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, > 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275 > > Cheers, > --Sampo > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-302-1428 aim:PaulMdsn5 web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]