|
|
saml-dev - RE: [saml-dev] Subject confirmation.
|
Message Thread:
Previous |
Next
|
- From: "Scott Cantor" <cantor.2@osu.edu>
- To: <alistair@smo.uhi.ac.uk>, <saml-dev@lists.oasis-open.org>
- Date: Tue, 29 Nov 2005 17:57:25 -0500
- Send Email to saml-dev@lists.oasis-open.org:
- Send new message
- Reply to this message
|
> Reading the profiles spec seems to suggest that
> SubjectConfirmation is a means to "proxy" the "real" Subject?
What profiles spec? And no, it doesn't mean only that. It could mean that.
> However, the asserting party can add additional information to the
> assertion giving various third parties (attesting entities)
> the right to "claim they are me"?
If a profile defines that. No such profile currently exists. The language
you're talking about is intended to *allow* a profile to do so. Nothing more
or less.
> i.e. in bearer in web sso:
> "The bearer of the assertion [The Browser] can confirm itself as the
> subject [Me]"
Right, and web sso is a profile.
> in holder of key, the asserting party is basically saying:
>
> "anyone who holds the key or certificate identified in the
> SubjectConfirmationData can claim to be Subject" - subject to
> conditions of course.
It means "associated" with the subject. Nothing more or less. Only the
profile can define what "associated" means.
> Does that mean that, say, SPa can sign something in the assertion ir got
> from IdP before passing it on to SPb and SPb can use the certficate/key in
> SubjectConfirmationData to verify that SPa indeed has the key identified
> in SubjectConfirmationData? If so, then SPb can assume that the attesting
> entity (SPa) has a relationship with the asserting party (IdP) via it's
> key, which is identified in SubjectConfirmationData?
A relationship, yes. You're jumping from that to being explicit about what
the relationship is. Only a profile of use can do that.
-- Scott
|
|
Mail converted by the most-excellent MHonArc 2.6.10
|