[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] holder-of-key subject confirmation
Hi Tom, If the RP trusted C2, then, I think, informally, that RP could then rely on the confirmation. By "informally", I mean that the IdP has a formal relationship w the user and by issuing the saml assertion is potentially authorizing the user to conduct certain types of activities that would be guaranteed by the IdP if the user signed with private key of C1. However, I do not believe, in general, that the IdP would consider itself responsible for anything done with C2. However, an RP, that trusted IdP for confirmation of the subject in C1, might be willing to assume that the subject of C2 was, in fact, the same subject. The weakness I see here is that it seems to reduce a strong token (saml hok) to the level of a bearer token, because the inherent strength of the hok is not being used. It would seem that the main reliance of the RP in this scenario is on the trust it has in C2, and the saml assertion can be thought of possibly as a 2nd factor of authentication, making the RP more confident in C2, then it would be otherwise. I think I would need to understand more about the objectives of this combination of authentications - i.e. who is the RP going to be holding accountable for what. Thanks, Rich Tom Scavo wrote: ea2af9bd0805121502g4be176b1xd2fac06deba0a04f@mail.gmail.com" type="cite">On Sun, May 11, 2008 at 10:32 PM, Rich.Levinson <rich.levinson@oracle.com> wrote:Anyone can read the cert, C1, and create a new cert, C2 with the same subject name etc. But no one should trust C2, because C2 was not contained in anything signed by IdP.Rich, would you change your point of view if the relying party RP happens to trust the certificate C2 presented by the user? Tom --------------------------------------------------------------------- To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org For additional commands, e-mail: saml-dev-help@lists.oasis-open.org |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]