mace-opensaml-users - InclusiveNamespaces PrefixList
Subject: OpenSAML user discussion
List archive
- From: Mitchell Prentice <>
- To:
- Subject: InclusiveNamespaces PrefixList
- Date: Sat, 4 Jul 2009 19:01:43 +1000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=TDTeX95vITk1Vf8I5a0Xbjcjafl97qf77J6vfOo15DWsD/BbZuNPlrcrFPyMYzm9i7 RKMWeqA8pkA9gTryHFlg4V0SPa/vKMJ/DrRZ5BLzXKqzmw6DHAnNnwIzftFOx9DmoDBv CPjzDVBBXZQgdME1zp5W+Yc3mwtWkuHpbT6zo=
Hello
I'm trying to understand the use of InclusiveNamespaces PrefixList in exclusive canonicalization. I understand that any prefixes in this list are handled as per the canonical xml recommendation. However, I don't really understand why they are used in signatures over SAML response and assertions.
The SAML v2.0 specification (core spec section 5.4.6) has an example with "#default saml ds xs xsi" that's used for both the response signature and the assertion signature but provides no explanation or recommendations regarding their use.
Is the InclusiveNamespace PrefixList necessary for signatures over either SAML responses or assertions? If so, specifically why?
What prefix list should be used for a SAML response signature? Is there a fixed list or some algorithm to determine what should be in the list?
What prefix list should be used for a SAML assertion signature?
If a signed SAML assertion is contained within a signed SAML response, does this make a difference to either prefix list?
Thanks
Mitch
- InclusiveNamespaces PrefixList, Mitchell Prentice, 07/04/2009
- RE: [OpenSAML] InclusiveNamespaces PrefixList, Scott Cantor, 07/05/2009
Archive powered by MHonArc 2.6.16.