[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: HoK assertions in the ICAM profile
ICAM [1] has specified holder-of-key assertions at LoA 4 such that "the <ds:X509Certificate> element MUST contain the certificate that the end user used to authenticate to the IdP" and "the RP must validate that the certificate issuer is cross-certified with the Federal Bridge Certification Authority." Note that there is no reference to the SAML V2.0 Holder-of-Key Web Browser SSO Profile in the ICAM document. Maybe the ICAM document is irrelevant to the broader SAML community, I don't know, but the document's failure to distinguish between the strength of the authentication token and the key bound to the assertion (as in the HoK Web Browser SSO profile) is unfortunate, I think. Didn't the SSTC send a letter to the U.S. government regarding holder-of-key assertions at one point? Tom [1] Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile, Version 1.0, September 27, 2010 http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]