Closed Razumain closed 2 years ago
There was a companion error in the deployment profile section 7.1.2.
It stated that in order to Create a qualified signature (Using CertType QC/SSCD) you have to use SAP, and if you use SAP you have to include SignMessage.
This is not true, because it also forces any voluntary use of SAP (even for non qualified certificates) to always include SignMessage.
What was intended with this requirement was to say that a request for Qualified Electronic Signature (where cert type is QC/SSCD) MUST include a SAD request and MIST include a SignMessage.
This is now also fixed in the PR, updating the deployment profile from version 1.7 to 1.8 Draft version.
The SAP specification has several issues related to sign message:
Solving issue 1 is easy. This is done by changing to a non-sign-message LoA in the specification and its examples.
Solving issue 2 will require some thought. It is redundant to handle sign-message in SAP since we since writing this specification, added the
signMessageDigest
attribute to the SAML response. Another reason why we might consider not mentioning SignMessage at all here is that this protocol may be used in situations where sign message is not handled by the IdP.A reasonable way forward is to remove the current mentioning of sign message, as it plays no direct role in the protocol, and to focus on the role of the SAD to be an evidence that the instance of authentication is bound to this instance of signing.