Gary Ellison noted that usng an OOB symmetric key to encrypt the
encryption keys used is likely to be >useful in such a case to make the
Right, this fits in with not mandating particular key management
Super-encryption, which means encrypting content that includes
encrypted content, is not specified in the SAML specifications, but
this does not mean it couldn't occur in a SOAP messaging component of
the system - but the SAML specifications are silent on the topic and
believe this is appropriate.
Well, it could happen with SAML quite easily such as an encrypted
assertion that contains an
EncryptedID or EncryptedAttribute. The question is, do we need to say
anything about it? I'm not sure >why encrypting an element that happens
to have stuff from the XMLEnc spec in it is different from any >other
I don't think much need be said in this case.