Re: [saml-dev] holder-of-key subject confirmation

["Tom Scavo" <trscavo@gmail.com>]

On Sun, May 11, 2008 at 1:13 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>
>  > If the IdP identified C1 via specific reference (e.g. the
>  > actual certificate itself), the RPs message should not be considered
>  > valid as to meeting the requirements identified by the IdP.
>
>  This is an example of my point. Identifying the certificate has NO bearing
>  on the actual technical requirements imposed on the other parties. I would
>  assert (and have implemented, in effect) that treating the certificate as a
>  key bag and accepting any proof that was based on the same public key is
>  perfectly legal in SAML.

Okay, but why can't I draw the same conclusion about the name?  If
<KeyInfo> contains a key, the RP confirms the subject if the presenter
proves possession of the key.  If <KeyInfo> contains a name, the RP
confirms the subject if the presenter proves itself to be the named
subject.  Putting those two together, if <KeyInfo> contains a
certificate, the RP confirms the subject if the presenter proves
possession of the key or proves itself to be the named subject.

Tom