Signature Activation Protocol (SAP) sign message cleanup

[Razumain]

The SAP specification has several issues related to sign message:

1. The specification and examples refers to usage of the old "signmessage" LoA URI:s in the specification.
2. The document mentions sign message as a data element that is essential for SAP and part of binding the signed data to the SAD, but the protocol does not involve the sign message in any way.

Solving issue 1 is easy. This is done by changing to a non-sign-message LoA in the specification and its examples.

Solving issue 2 will require some thought. It is redundant to handle sign-message in SAP since we since writing this specification, added the signMessageDigest attribute to the SAML response. Another reason why we might consider not mentioning SignMessage at all here is that this protocol may be used in situations where sign message is not handled by the IdP.

A reasonable way forward is to remove the current mentioning of sign message, as it plays no direct role in the protocol, and to focus on the role of the SAD to be an evidence that the instance of authentication is bound to this instance of signing.

[Razumain]

There was a companion error in the deployment profile section 7.1.2.

It stated that in order to Create a qualified signature (Using CertType QC/SSCD) you have to use SAP, and if you use SAP you have to include SignMessage.

This is not true, because it also forces any voluntary use of SAP (even for non qualified certificates) to always include SignMessage.

What was intended with this requirement was to say that a request for Qualified Electronic Signature (where cert type is QC/SSCD) MUST include a SAD request and MIST include a SignMessage.

This is now also fixed in the PR, updating the deployment profile from version 1.7 to 1.8 Draft version.

[martin-lindstrom]

Fixed in PR https://github.com/swedenconnect/technical-framework/pull/189.