> Is there any reason why the standard allowed #WithComments? I cannot think
> a single reason why would you want comments in SAML elements. It makes life
> so much more complicated.

That's not what breaks it. In fact, using #WithComments can harden it, it's the 
omission of comments from the c14n stream that opens up the attack. It's 
counter-intuitive.

For the record, SAML metadata often includes comments.

The "bug" is XML Signature. It is a hopeless goal to make anything safe in the 
face of how it works unless you use Enveloping, and that's still not really 
safe, just safer. We're all just left doing the best we can do and reacting the 
best we can. The real lesson is "do not implement SAML yourself", and I have 
never stopped saying that in the 17 years I've been doing it.
 
-- Scott

Reply via email to