Update signing specifications

Razumain commented 6 years ago

Two new proposals to store transaction related evidence in signing certificates.

Store transaction identifier as subject attribute: 1.2.752.201.3.2 with a mapping to the SAML attribute in AuthContext extension
Store the SAD payload in the AuthnContext extension

martin-lindstrom commented 6 years ago

The first item shouldn't be any problems. Regarding storing the SAD payload in the AuthnContext element (not extension). Do you mean that we should introduce an extension for SAD and place it under AuthnContext instead of using the sad-attribute?

Razumain commented 6 years ago

No. The Assertion is fine as it is. This is about placing the sad payload in the certificate as extra evidence that the SAP process was implemented. The RFC 7773 allows multiple payloads to be stored that provides info about the auth context:

AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF AuthenticationContext

AuthenticationContext ::= SEQUENCE { contextType UTF8String, contextInfo UTF8String OPTIONAL }

AndersTornqvist commented 6 years ago

Can you elaborate on the purpose and justification of the proposals?

Hälsningar/Regards/Grüße, Anders Törnqvist, Comfact AB +46 (0)768 15 98 10

From: Stefan Santesson notifications@github.com Sent: den 16 oktober 2018 14:51 To: swedenconnect/technical-framework technical-framework@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: [swedenconnect/technical-framework] Update signing specifications (#69)

Two new proposals to store transaction related evidence in signing certificates.

Store transaction identifier as subject attribute: 1.2.752.201.3.2 with a mapping to the SAML attribute in AuthContext extension
Store the SAD payload in the AuthnContext extension

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/swedenconnect/technical-framework/issues/69 , or mute the thread https://github.com/notifications/unsubscribe-auth/AXVDyO76GTX4qIseOkxUDkxc_daXLXTmks5uldZLgaJpZM4XeSOb . https://github.com/notifications/beacon/AXVDyDor42LfgOjbtr69f8k8OYLM3g6Wks5uldZLgaJpZM4XeSOb.gif

martin-lindstrom commented 4 years ago

@Razumain By introducing the <sacex:ExtAuthInfo> element to be used in the <saci:AuthContextInfo> we can store any attribute there - both transactionID and SAD...

martin-lindstrom commented 4 years ago

Fixed in PR https://github.com/swedenconnect/technical-framework/pull/116/

swedenconnect / technical-framework

Update signing specifications #69