> Is there any reason why the standard allowed #WithComments? I cannot think
> a single reason why would you want comments in SAML elements. It makes life
> so much more complicated.
That's not what breaks it. In fact, using #WithComments can harden it, it's the
omission of comments from the c14n stream that opens up the attack. It's
For the record, SAML metadata often includes comments.
The "bug" is XML Signature. It is a hopeless goal to make anything safe in the
face of how it works unless you use Enveloping, and that's still not really
safe, just safer. We're all just left doing the best we can do and reacting the
best we can. The real lesson is "do not implement SAML yourself", and I have
never stopped saying that in the 17 years I've been doing it.