-
Type: Improvement
-
Status: Resolved
-
Priority: Minor
-
Resolution: Applied
-
Affects Version/s: 2.0
-
Fix Version/s: SAML 2.0 + Approved Errata 05
-
Component/s: Core
-
Labels:None
-
Proposal:
-
Resolution:
The XML Signature profile in SAML Core doesn't explicitly disallow the use of the <ds:Object> element in signatures, although it's discouraged by implication given the other restrictions imposed. Since the element is often used to carry out wrapping attacks, and its use was never profiled, we should discourage it explicitly.