> Is there any reason why the standard allowed #WithComments? I cannot think > a single reason why would you want comments in SAML elements. It makes life > so much more complicated.
That's not what breaks it. In fact, using #WithComments can harden it, it's the omission of comments from the c14n stream that opens up the attack. It's counter-intuitive. For the record, SAML metadata often includes comments. The "bug" is XML Signature. It is a hopeless goal to make anything safe in the face of how it works unless you use Enveloping, and that's still not really safe, just safer. We're all just left doing the best we can do and reacting the best we can. The real lesson is "do not implement SAML yourself", and I have never stopped saying that in the 17 years I've been doing it. -- Scott
