Given the various issues with XMLdsig and discussions with various folks, Scott
Cantor and I crafted a new SAML HTTP POST binding which doesn't rely on
XMLdsig, but specifies optional signing of the conveyed messages, as "blobs".
We've tentatively named the binding "HTTP-POST-NoXMLdsig". The working draft
spec is here..
SAMLv2: HTTP POST “NoXMLdsig” Binding [DRAFT]
http://www.oasis-open.org/committees/download.php/18722/draft-hodges-saml-binding-noxmldsig-01.pdf
The basic notion of this draft binding was well-received by the SSTC and the
consensus on a recent SSTC concall was that we'd proceed with putting it on the
SSTC/OASIS equivalent of "the standards track". Note that this spec is a
*working draft* and some details will change, and comments are welcome.
This binding could be leveraged/profiled in the DIX context in order to provide
the capability for implementors/deployers to optionally use conventional
sign-the-BLOB techniques, or the SXIP/DIX Message Signature/Verification
technique, or no signatures.
JeffH
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
