RE: [wss] Comments on Sender-Vouches-Signed section in SAML Interop draft

["Levinson, Richard" <rlevinson@netegrity.com>]

Maneesh,

 

Thank you for calling my attention to your earlier email at today's meeting.

I had missed it earlier.

 

In any event, you are correct on all 3 comments. The first (rsa-sha1) and

third (#attesterCert) are simply typos that should be corrected.

 

The 2nd comment (STR-Transform) is redundant as you indicate,

however, it was derived from the SAML profile document,

which used the STR to reference an external assertion.

Also, it is intended to be demonstrative of using the

STR to reference assertions, and its redundancy should not

interfere with operation: i.e. a message should not be rejected,

in general, as long as it is compliant with the WS-Security spec,

and associated token profile.

 

I will hold off updating the spec with the typo fixes for a couple

of weeks to see if additional comments come in.

 

    Thanks,

 

    Rich Levinson

 

 

---

From: Maneesh Sahu [mailto:maneesh@westbridgetech.com]
Sent: Thursday, February 05, 2004 8:09 PM
To: wss@lists.oasis-open.org
Subject: [wss] Comments on Sender-Vouches-Signed section in SAML Interop draft

Hi,

 

I have a few comments and need some clarifications on the example provided with the sender-vouches:signed section:

 

Page 25

 

Line 688: Shouldnt the signature method be rsa-sha1 instead of hmac-sha1 ?

Line 691: For sender-vouches, the STR-Transform may be a bit redundant. It may be useful for holder-of-key where the assertions are immutable and need to be referenced differently.

Line 708: Shouldnt the reference URI be #attesterCert instead of attesterCert ?

 

Apologies if these issues have been tackled earlier...this is my first day on the group.

 

--ms

Maneesh Sahu

Westbridge Technology, Inc.