[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] holder-of-key subject confirmation
On Sun, May 11, 2008 at 1:13 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > > If the IdP identified C1 via specific reference (e.g. the > > actual certificate itself), the RPs message should not be considered > > valid as to meeting the requirements identified by the IdP. > > This is an example of my point. Identifying the certificate has NO bearing > on the actual technical requirements imposed on the other parties. I would > assert (and have implemented, in effect) that treating the certificate as a > key bag and accepting any proof that was based on the same public key is > perfectly legal in SAML. Okay, but why can't I draw the same conclusion about the name? If <KeyInfo> contains a key, the RP confirms the subject if the presenter proves possession of the key. If <KeyInfo> contains a name, the RP confirms the subject if the presenter proves itself to be the named subject. Putting those two together, if <KeyInfo> contains a certificate, the RP confirms the subject if the presenter proves possession of the key or proves itself to be the named subject. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]