Sorry, indeed you did. E26, I think. I must have missed that -- it is a
rather large set of changes.
On 3/1/07 2:04 PM, "Scott Cantor" <cant...@osu.edu> wrote:
So this is a general statement about all profiles where assertions and
signing are concerned. However, the SAML profile document makes other
statements which seem to make more strict requirements (sect 184.108.40.206,
" The <Assertion> element(s) in the <Response> MUST be signed, if the HTTP
POST binding is used, and MAY be signed if the HTTP- Artifact binding is
This is already fixed in errata.
I think that this may add to the impression that the <Assertion> element
itself must be signed.
Yes, that's the point though. If you say you want the assertion signed,
that's what you should get, not the response.
So I would suggest that clarifying language be added in the Profile
around 220.127.116.11 line 500 indicating that the "signature inheritance" notion
applies to the <Assertion> element in a POST message --- if that is indeed
Eric Tiffany | er...@projectliberty.org
Interop Tech Lead | +1 413-458-3743
Liberty Alliance | +1 413-627-1778 mobile