Skip to Content.
Sympa Menu

mace-opensaml-users - RE: Looking for "best practices" regarding handling of keys/certificates

Subject: OpenSAML user discussion

List archive

RE: Looking for "best practices" regarding handling of keys/certificates


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Shannon Kendrick' <>,
  • Subject: RE: Looking for "best practices" regarding handling of keys/certificates
  • Date: Thu, 27 Feb 2003 23:55:27 -0500
  • Importance: Normal
  • Organization: The Ohio State University

> Being new to SAML and XML Signatures, I'd like to find out
> what the "best practices" are for signature validation of a
> SAML Response (Browser/POST profile).

Well, at a sort of basic technical level, I would suggest taking a look at
the draft I submitted to OASIS on signatures in SAML
that's on the SAML/SSTC web site. Among other things, it proposes the use of
a bare minimum transform profile to signing, that I
have implemented in the code as a "simple" signature. It's appropriate for
Response signing in the POST profile.

At the same time, much of this is in flux because there's some chance we may
add ID attributes to the schema in SAML 1.1, though
that presumes we end up revving the namespaces, which is not a sure thing. If
we add them, the whole issue of signature reference
syntax changes dramatically.

> I'm currently unclear where to get the public key to validate
> the signature. Is it typically sent in the SAML Response? If
> so, how do I know it's a valid key? Or should I retrieve the
> key from a Java KeyStore on the filesystem? Should I worry
> about revocation lists?

This is a completely different issue, and it out of scope of SAML. Normally,
one tends to send along the signing chain of
certificates in the signature. My code does this. And the code basically
tries to verify by using what's there, or it will
explicitly verify with a key you provide.

But how you bind that key to a trusted entity and decide whether the
signature is meaningful for SSO is not a SAML issue. Shibboleth
is one example of a system with a trust model for deciding that.

The basic SSO transaction is not where the real work is (bugs in OpenSAML
notwithstanding ;-) The trust is the hard part.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page