[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] holder-of-key subject confirmation
I believe it depends upon the Keyinfo used by the IdP in the attribute assertion. If the IdP identified C1 via specific reference (e.g. the actual certificate itself), the RPs message should not be considered valid as to meeting the requirements identified by the IdP. OTOH, if the IdP used KeyInfo/X509Data/X509SubjectName to identify the subject name of the user and C2 had the same Subject name, presenting the message with proof of C2's private key would be considered to meet the requirements identified by the IdP. Essentially, the IdP has control over what the presenting party must do to prove to the relying party that it can present the assertion. Conor > -----Original Message----- > From: Tom Scavo [mailto:trscavo@gmail.com] > Sent: Sunday, May 11, 2008 11:25 AM > To: SAML Developers > Subject: [saml-dev] holder-of-key subject confirmation > > Consider the following sequence of protocol exchanges: > > 1. A user self-queries an IdP for attributes, authenticating with an > X.509 certificate (C1). > 2. The IdP issues a signed attribute assertion, binding the user's > certificate to a holder-of-key <SubjectConfirmation> element. > 3. The user presents the signed attribute assertion to a relying > party, authenticating with a different X.509 certificate (C2). > > If the RP can verify that the subject names in C1 and C2 are the same, > can the RP conclude that the subject is confirmed? > > Thanks, > Tom > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]