Re: [security-services] Assertion signing confusion - Eric Tiffany - org.oasis-open.lists.security-services

5 messages in org.oasis-open.lists.security-servicesRe: [security-services] Assertion sig...

From	Sent On	Attachments
Eric Tiffany	Mar 1, 2007 11:01 am
Scott Cantor	Mar 1, 2007 11:04 am
Eric Tiffany	Mar 1, 2007 11:30 am
Scott Cantor	Mar 1, 2007 11:43 am
Eve L. Maler	Mar 1, 2007 12:55 pm

Subject:	Re: [security-services] Assertion signing confusion
From:	Eric Tiffany (er...@projectliberty.org)
Date:	Mar 1, 2007 11:30:29 am
List:	org.oasis-open.lists.security-services

Sorry, indeed you did. E26, I think. I must have missed that -- it is a rather large set of changes.

On 3/1/07 2:04 PM, "Scott Cantor" <cant...@osu.edu> wrote:

So this is a general statement about all profiles where assertions and signing are concerned. However, the SAML profile document makes other statements which seem to make more strict requirements (sect 4.1.3.5, lines 497-500).

" The <Assertion> element(s) in the <Response> MUST be signed, if the HTTP POST binding is used, and MAY be signed if the HTTP- Artifact binding is used."

This is already fixed in errata.

I think that this may add to the impression that the <Assertion> element itself must be signed.

Yes, that's the point though. If you say you want the assertion signed, that's what you should get, not the response.

So I would suggest that clarifying language be added in the Profile document around 4.1.3.5 line 500 indicating that the "signature inheritance" notion applies to the <Assertion> element in a POST message --- if that is indeed the intent.

We did.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets