[wsf-dev] signing questions
Scott Cantor
cantor.2 at osu.edu
Fri Feb 15 15:22:27 PST 2008
> > 1. Messages over TLS carrying a SAMLv2 token: - is this considered
> > urn:liberty:security:2005-02:TLS:Bearer or urn:liberty:security:
> > 2005-02:TLS:SAMLV2
>
> The ...:SAMLV2 method requires a signature on the message. The
> ...:Bearer method does not. So just sticking a SAML token on a
> message without signing the message is ...:Bearer.
It also depends on how you "sign". The TLS:SAMLV2 method means TLS + a SAML
assertion + a signature, I think.
The TLS:peerSAMLV2 method would be TLS + SAML assertion and that's it. Still
"signed" but with TLS.
(Point being the exact mech depends on whether you sign the message, not
just whether it's TLS + a SAML token.)
> The EPR is the primary Metadata container for ID-WSF invocations.
Yes, but that metadata doesn't include the key (pun intended) piece of
metadata, the KeyDescriptors. SAML metadata can be used to establish the
trust layer.
> aren't necessarily signed. I believe that the WS-Security header itself
> isn't signed as the signature itself is added to that element.
It is. The Reference to that header has an enveloped transform in it to
exclude the Signature.
> > 7. Does a signed message require an x.509 token?
>
> No. Signatures can be based upon any of the xmldsig supported models.
> Of course basic public/private keys (which aren't x.590 tokens) can
> be used, but you can also use shared secret signatures.
There's also the fact that the message doesn't have to include the
certificate. Usually does, but that's a hint.
-- Scott
More information about the Wsf-dev
mailing list