OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Groups - WSS-SAML-09.pdf uploaded


The assertion must always be protcted (in addition to the message),
but sometimes it is the attester that protects the assertion (i.e 
sender-vouches), and
sometimes(holder-of-key) it is a third party (i.e the assertion 
authority) that
potects the assertion.

In both cases the attesting entity binds the assertion to the message 

In the protected (e.g.signed) assertion case,  the attesting entity need not
protect the assertion, because it can only bind a different assertion to the
message, if it can demonstrate knowledge of the confirmation key in
this different assertion. Similarly the attesting entity cannot change the
content of the assertion, without invalidating the protection of the


Levinson, Richard wrote:

>I agree that we have 2 cases: signed and unsigned
>assertions (i.e. where a "signed assertion" is an
>assertion contains an enveloped signature applied 
>by the assertion authority as described in saml-core). 
>We agree on the unsigned assertion case (i.e. where the
>attester signs both the content and the unsigned assertion)
>and that is the case that is currently in both the current
>profile and interop specs.
>For the sake of continuing the discussion on the 
>"signed assertion" case, I have this to offer in reply
>to your comment:
>I think there is a problem if the attester does not
>sign both the assertion and the content, because if only
>the content is signed then what is to stop an intruder
>from substituting a different assertion which will then
>associate the content with the subject of that other
>assertion. Therefore, in my opinion, even in the signed
>assertion case, the attester must sign both the assertion
>and the content.
>	Rich

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]