OpenSAML user discussion

[Asa Hardcastle <>]

I am not sure I understand completely what the two of you are saying.

The Security header is not included in the signature.  Some of its  
components are, and the id-wsf 2 spec requires that the Signature be a  
single signature referencing multiple signed elements and be a child  
of the Security header.  The Timestamp and any SAML Assertion token is  
also signed.

Is there something missing in my understanding?  What is not  
appropriate about this?

thanks for your help on this guys!

asa



--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7

On Feb 15, 2008, at 6:53 PM, Brent Putman wrote:

> Scott Cantor wrote:
> > > Thanks.  In my specific example (ID-WSF 2.0), the resultant
> > > ds:Signature is added as a child of the wsse:Security SOAP  
> > > Header.  I
> > > am signing the SOAP Body and several Headers, including some  
> > > elements
> > > of the wsse:Security header.  At present, I am doing the signing  
> > > with
> > > my own signing class, I'd like to transition to using the OpenSAML
> > > signing features.  Is the case I described above be easily possible?
> > I don't think that it would be all that appropriate to treat a  
> > Security
> > header as a plain signature parent. Typically the Signature in there
> > references more than just the parent element, and is application- 
> > specific.
> > Plus which the spec allows multiple signatures in there.
>
>
>
> Yes, agreed, I don't think your wsse:Security header or whatever  
> would extend from AbstractSignableXMLObject.  It may or may not be  
> signed itself, depending on the profile, and there could be multiple  
> ones, which that class does not allow.   That class was really  
> centric to the SAML single enveloped signature case.
>
> I don't see a problem with treating the Signature(s) as just plain  
> children of the header.