Re: [fwd] [dix] fyi: SAMLv2: HTTP POST ?NoXMLdsig? Binding (from: Jeff.Hodges@neustar.biz)

• From: Anders Rundgren <anders.rundgren@telia.com>
• Date: Sat, 24 Jun 2006 22:57:34 +0200
• To: <w3c-ietf-xmldsig@w3.org>
• Message-ID: <000d01c697d0$d5291930$82c5a8c0@arport2v>

Interesting, although I don't understand this completely.

It seems that the signature only contains the actual signature value and no KeyInfo etc.
If I had looked for a simpler (binary) solution, I would rather have used CMS.
The primary (only) rationale for this proposal appears to be that canonicalization takes too much CPU.
There is a risk that this may be based on non-optimal implementations rather than a fact.

Anders Rundgren

----- Original Message ----- 
From: "Thomas Roessler" <tlr@w3.org>
To: <w3c-ietf-xmldsig@w3.org>
Sent: Saturday, June 24, 2006 07:39
Subject: [fwd] [dix] fyi: SAMLv2: HTTP POST ?NoXMLdsig? Binding (from: Jeff.Hodges@neustar.biz)



FYI
-- 
Thomas Roessler, W3C   <tlr@w3.org>





----- Forwarded message from Jeff Hodges <Jeff.Hodges@neustar.biz> -----

From: Jeff Hodges <Jeff.Hodges@neustar.biz>
To: Digital Identity Exchange <dix@ietf.org>
Date: Fri, 23 Jun 2006 15:16:34 -0700
Subject: [dix] fyi: SAMLv2: HTTP POST
 ?NoXMLdsig? Binding
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
X-Spam-Level: 

Given the various issues with XMLdsig and discussions with various folks, 
Scott Cantor and I crafted a new SAML HTTP POST binding which doesn't rely 
on XMLdsig, but specifies optional signing of the conveyed messages, as 
"blobs". We've tentatively named the binding "HTTP-POST-NoXMLdsig". The 
working draft spec is here..

SAMLv2: HTTP POST ?NoXMLdsig? Binding [DRAFT]
http://www.oasis-open.org/committees/download.php/18722/draft-hodges-saml-binding-noxmldsig-01.pdf

The basic notion of this draft binding was well-received by the SSTC and the 
consensus on a recent SSTC concall was that we'd proceed with putting it on 
the SSTC/OASIS equivalent of "the standards track". Note that this spec is a 
*working draft* and some details will change, and comments are welcome.

This binding could be leveraged/profiled in the DIX context in order to 
provide the capability for implementors/deployers to optionally use 
conventional sign-the-BLOB techniques, or the SXIP/DIX Message 
Signature/Verification technique, or no signatures.


JeffH






_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix



----- End forwarded message -----

Received on Saturday, 24 June 2006 21:00:11 UTC