[OAUTH-WG] message digest and signature (was draft-ietf-oauth-saml2-bearer-17)
Brian Campbell <bcampbell@pingidentity.com> Mon, 04 November 2013 20:58 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93F6E21E80A5 for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 12:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.936
X-Spam-Level:
X-Spam-Status: No, score=-5.936 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuxXcdNR6zsp for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 12:57:58 -0800 (PST)
Received: from na3sys009aog106.obsmtp.com (na3sys009aog106.obsmtp.com [74.125.149.77]) by ietfa.amsl.com (Postfix) with ESMTP id A4D4321E80D1 for <oauth@ietf.org>; Mon, 4 Nov 2013 12:57:58 -0800 (PST)
Received: from mail-ie0-f180.google.com ([209.85.223.180]) (using TLSv1) by na3sys009aob106.postini.com ([74.125.148.12]) with SMTP ID DSNKUngKVlPQD4XNGMOLeh/ErLJyby7Dn6ib@postini.com; Mon, 04 Nov 2013 12:57:58 PST
Received: by mail-ie0-f180.google.com with SMTP id e14so12920038iej.25 for <oauth@ietf.org>; Mon, 04 Nov 2013 12:57:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=z1XjVXKIgldprbon8LQVzIgSCrpnU1SR+cQ0HVx/PVc=; b=BOvHag1BWqZQnywEoRzhsho1LTzMr90oWBMk//Gux8hAaRp+03b+I7Lsm3RmfocGst A7UNnmb3SDEE7Io8OMF2ze63VTOzh6G90IJumOJA5104p1ZadoQOAI8AP0cFJfIEAVAK Kl9rbD/icCaJNhQRhUe4yO47mrN8Sw+UiNiBupf9b/fYQP0Yk8vpyE8DlYAsI0u4EUvp Vpeu3LZvZjvuqoeBuY9wf2MHycxp5qcknz4a9vzIHj24k3vdT9cplI0lkC/S8490xgU+ eRmQAEHXc9AQAH0ktpTek7wq0Qo7Z09+Hliq+5PvgFMXKJGTaKNdJ2jbiSpZjm9mcvEs 50Tw==
X-Gm-Message-State: ALoCoQkNSlww0yUC+QVabeBqhbdxgl7cnvU1dipiebC2nJ6CcSULHXq7JYDbED9WDhmx3gQw+fgBiyrIbj/JIOWgTnuOrAr8GYxVIDs6Flwj6icZT39pME/AtDjYyhCVf5NXAySLQJqNb/HI0NYPDl3AxWscLgJOPQ==
X-Received: by 10.50.56.44 with SMTP id x12mr13460106igp.41.1383598678238; Mon, 04 Nov 2013 12:57:58 -0800 (PST)
X-Received: by 10.50.56.44 with SMTP id x12mr13460098igp.41.1383598678132; Mon, 04 Nov 2013 12:57:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Mon, 4 Nov 2013 12:57:28 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 04 Nov 2013 12:57:28 -0800
Message-ID: <CA+k3eCTPKoRY6t2cFeRhvQq82WPnRZ+V+D+32fAamy+kt0-AcQ@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] message digest and signature (was draft-ietf-oauth-saml2-bearer-17)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 20:58:04 -0000
On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Item #10: You write: > > " > 10. The Assertion MUST be digitally signed or have a keyed message > digest applied by the issuer. The authorization server MUST > reject assertions with an invalid signature or keyed message > digest. > " > > To my knowledge SAML assertions only support digitial signatures and no > keyed message digests. It's built on XML Dsig which does allow for MAC. AFAIK, there's nothing in SAML prohibiting it. But, to your point, in practice it's always an asymmetric digital signature. I don't think that this is not the first time we've discussed this point. Maybe omitting the mention of keyed message digests would avoid confusion? In practice I don't think anything would be lost for doing so.
- [OAUTH-WG] message digest and signature (was draf… Brian Campbell