On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig <[email protected]> wrote: > Item #10: You write: > > " > 10. The Assertion MUST be digitally signed or have a keyed message > digest applied by the issuer. The authorization server MUST > reject assertions with an invalid signature or keyed message > digest. > " > > To my knowledge SAML assertions only support digitial signatures and no > keyed message digests.
It's built on XML Dsig which does allow for MAC. AFAIK, there's nothing in SAML prohibiting it. But, to your point, in practice it's always an asymmetric digital signature. I don't think that this is not the first time we've discussed this point. Maybe omitting the mention of keyed message digests would avoid confusion? In practice I don't think anything would be lost for doing so. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
