> -----Original Message----- > From: Stephen Farrell [mailto:[email protected]] > Sent: Tuesday, October 02, 2012 7:36 AM > To: Sam Hartman > Cc: Josh Howlett; Jim Schaad; [email protected] > Subject: Re: [abfab] I-D Action: draft-ietf-abfab-aaa-saml-03.txt > > > > On 10/02/2012 03:27 PM, Sam Hartman wrote: > >>>>>> "Stephen" == Stephen Farrell <[email protected]> writes: > > > > Stephen> (jumping in with little context...) > > > > Stephen> On 10/02/2012 02:34 PM, Sam Hartman wrote: > > >> I think that we need to have a mandatory-to-implement policy for > > >> signature handling to guarantee interoperability. I think that > > >> mandatory-to-implement policy should be ignore the signature in > > >> all its bulk. > > > > Stephen> Defining signature "handling" as ignoring the signature > > Stephen> would seem very insecure, no? How'd you justify that? > > > > But something that can actually be implemented. The idea that you > > could actually construct a usable PKI is sufficiently preposterous > > that it need not be considered:-) > > > > OK, now that we've squared off, let me try and make a serious > > contribution. > > :-) > > > The SAML signature mechanism is anselary to the security approach that > > we're using for this. > > I think a lot of us would like to not even support signatures in this > > SAML binding because we believe that the hop-by-hop integrity is > > sufficient and because those signatures will create interoperability > > problems. > > Is there text somewhere that argues that hop-by-hop integrity is enough for > abfab? Is that for all use-cases or just some? > > I reckon you'll need that text if "ignore signature" is the MUST implement. > > > It seems silly to me though to reject a request because it is signed > > when you would hapilly accept the same request were the signature > > stripped. > > I agree. After lots of debate, DKIM also passes on signatures even after > they're sure to no longer be verifiable, so you have a good precedent for not > stripping. > > OTOH, it also seems silly to say ignore signature is the MUST implement, if > you're able to pass the signature around and it could in principle be verified.
But one of the current precepts of ABFAB is that you are not going to be in a single trust anchor world, the TA of the signer may not be known or trusted by the acceptor. This means that you probably cannot validate the signature even if it is present. Jim > > S. > > > > > > > > _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
