RE: Note on Digital Signing in SAML (re-send) - Mishra, Prateek - org.oasis-open.lists.security-services

2 messages in org.oasis-open.lists.security-servicesRE: Note on Digital Signing in SAML (...

From	Sent On	Attachments
Mishra, Prateek	Jul 3, 2001 8:44 am
Tim Moses	Jul 5, 2001 7:44 am

Subject:	RE: Note on Digital Signing in SAML (re-send)
From:	Mishra, Prateek (pmis...@netegrity.com)
Date:	Jul 3, 2001 8:44:05 am
List:	org.oasis-open.lists.security-services

The previous message was incomplete! Here is the complete message:

------------------------------------------------------------------

Four separate issues here:

(1) Assertions MAY be signed using XML-SIG (ISSUE: enveloped, enveloping, detached? --- are we ready to make a recommendation? Do we want to constrain KeyInfo).

(2) Assertions MUST be signed if the RP receives them from any intermediary (entity other than AP).

(3) BUT assertions may be embedded within Response/Request messages. These may also be signed with XML-DSIG (ISSUE: as in (1) above). Question: If an assertions are contained within a signed Request/Response pair, can they "inherit" the super-signature?? Should we support this flexibility or should we insist that assertions be individually signed?

(4) BUT request/response messages may themselves be embedded within other payloads (XML, MIME). These payloads may themselves be signed. Should the contained SAML messages "inherit" the super-signature??

RESOLUTIONS:

(A) Do not consider any signature inheritance notion for SAML messages or assertions.

(B) Include signature inheritance upto (3), do not include (4).

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets