OpenSAML user discussion

[Scott Cantor <>]

> Personally it's been a while since I read the SAML spec, so 
> I'm not 100% sure if it's sent in the response. However if it 
> is sent in the response there's a variety of ways of choosing 
> how to handle an unknown signature:

You won't find anything in the spec whatsoever on this topic. XML Signature 
is completely wide open in terms of what you include and
how you include it. You can pass certs, keys, names of cert subjects, names 
of things that point to certs, or pink elephants (ok,
maybe not) and SAML doesn't tell you which to send.

I chose to implement the obvious, which is to include certs if you give them 
to the sign() method. In theory, one could override
this behavior with some inheritance in Java, though that's not something I 
planned for specifically.

> I would recommend you read upon PKI and Java cryptography to 
> get a better understanding on the topic.

Definitely good advice if you haven't got that background, though I haven't a 
specific book to suggest. Perhaps somebody knows of a
good PKI primer.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--