Title: RE: Note on Digital Signing in SAML (re-send)
Prateek - It is important to specify BY WHOM the assertions must be signed,
not merely that they BE signed. Whoever signs them may be considered the
issuer. If an unsigned assertion is embedded in a signed response, then it
may be deemed to have been issued by the responder. If one is embedded in a
signed message, then it may be deemed to have been issued by the sender. The
question is, under what circumstances should the responder or sender be
considered a suitable issuer. Each protocol profile should be considered
separately from this point of view and the signer requirement stipulated.
Best regards. Tim.
From: Mishra, Prateek [mailto:pmis...@netegrity.com]
Sent: Tuesday, July 03, 2001 11:59 AM
To: Mishra, Prateek; 'christopher ferris';
Cc: 'Evan Prodromou'; 'secu...@lists.oasis-open.org'
Subject: RE: Note on Digital Signing in SAML (re-send)
The previous message was incomplete! Here is the complete message:
Four separate issues here:
(1) Assertions MAY be signed using XML-SIG
(ISSUE: enveloped, enveloping, detached? --- are we ready to
make a recommendation? Do we want to constrain KeyInfo).
(2) Assertions MUST be signed if the RP receives them from any
intermediary (entity other than AP).
(3) BUT assertions may be embedded within Response/Request
messages. These may also be signed with XML-DSIG (ISSUE: as in
(1) above). Question: If an assertions are contained within
a signed Request/Response pair, can they "inherit" the
super-signature?? Should we support this flexibility or
should we insist that assertions be individually signed?
(4) BUT request/response messages may themselves be embedded
within other payloads (XML, MIME). These payloads may themselves
be signed. Should the contained SAML messages "inherit" the
(A) Do not consider any signature inheritance notion for
SAML messages or assertions.
(B) Include signature inheritance upto (3), do not include