OpenSAML user discussion

[Scott Cantor <>]

> toStream() canonizes before output. shouldn't this
> happen within the sign() code specified as a
> transform, so that the verify routine can properly
> apply the reverse transforms to obtain the pre-singed
> version of the element?

No, the point of the simple flag hack is to tell it that the SAML is alone in 
the document. DSig always runs inclusive c14n as the
final step when the input is a node set. If excl c14n is needed to deal with 
namespace bleed in, that has to be a transform.

I use c14n so that the XML can move across a network and still verify, which 
is a separate issue.

None of this will work reliably until SAML 1.1, so I actually suggest people 
don't waste a lot of their time on this.

As soon as the schema changes for 1.1 are approved by the SSTC, I'm probably 
going to drop a new schema in for it and start using
it. This is too painful to keep screwing around with.

If anybody is trying to interop with a commercial SAML 1.0 product, I might 
reconsider, but I can't see that being too likely yet.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--