[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Groups - WSS-SAML-09.pdf uploaded
Rich, The assertion must always be protcted (in addition to the message), but sometimes it is the attester that protects the assertion (i.e sender-vouches), and sometimes(holder-of-key) it is a third party (i.e the assertion authority) that potects the assertion. In both cases the attesting entity binds the assertion to the message content. In the protected (e.g.signed) assertion case, the attesting entity need not protect the assertion, because it can only bind a different assertion to the message, if it can demonstrate knowledge of the confirmation key in this different assertion. Similarly the attesting entity cannot change the content of the assertion, without invalidating the protection of the assertion. Ron Levinson, Richard wrote: >Ron, > >I agree that we have 2 cases: signed and unsigned >assertions (i.e. where a "signed assertion" is an >assertion contains an enveloped signature applied >by the assertion authority as described in saml-core). > >We agree on the unsigned assertion case (i.e. where the >attester signs both the content and the unsigned assertion) >and that is the case that is currently in both the current >profile and interop specs. > >For the sake of continuing the discussion on the >"signed assertion" case, I have this to offer in reply >to your comment: > >I think there is a problem if the attester does not >sign both the assertion and the content, because if only >the content is signed then what is to stop an intruder >from substituting a different assertion which will then >associate the content with the subject of that other >assertion. Therefore, in my opinion, even in the signed >assertion case, the attester must sign both the assertion >and the content. > > Rich > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]