[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] holder-of-key subject confirmation
> Conor's conclusion makes sense to me, but Scott I don't understand > your comment. There is no global PKI. That's essentially the comment. The idea that IN THE ABSTRACT a certificate or a subject name means anything is simply not supportable. > Are you saying you can think of no practical situation > where the user would have and use two such certificates, or is there > some other point you're trying to make here? Unless you constrain the CAs involved and understand the implications of equating two certificates with the same subject, then no, it's not practical. If you can constrain them, then sure, it's possible. But I would claim that there's nothing in any spec that says you: - can rely only on subject names in any particular case - can interpret a KeyInfo containing a subject name as implying that in that particular case you only need a matching name - can interpret a KeyInfo containing a certificate as implying that in that particular case you MUST use that exact certificate The specs not only don't say any of that anywhere, but having implemented related function contrary to point 3, I'd have to argue against such an interpretation. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]