OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] question on Holder fo the key


SAML HOK says that the sender must prove possession of a key, it does not specify exactly how that proof of possession takes place.    In Liberty’s ID-WSF we defined two security mechanisms for SAML HOK:  One which the key is proven via transport layer and one where the key is proven by a signed message (signature being in the WS-Security header).

 

Both are valid from a SAML point of view, but they are not equivalent from a features/performance point of view.  For example, generally speaking, if you’re sending multiple messages on the same transport layer connect, it will be cheaper (computationally) to use the transport layer to prove possession of the key.   The downside of this choice is that this eliminates the ability to prove who sent the message since there is no per-message signatures or to allow multiple senders of messages on the same transport connection.

 

Signing individual messages with an asymmetric key keeps the proof of key within the data layer, while also allowing the messages to be preserved and usable as a proof of message (for non-repudiation at some point in the future) but at substantial cost on the client and especially on the server (a canonicalization and PKI operation for every message).

 

So, you need to select the mechanism that fits with your requirements.   If you want more information on the Liberty discussion in this area  you can take a look at the Liberty ID-WSF Security Mechanisms specification.

 

Conor

 

From: swu@axolotl.com [mailto:swu@axolotl.com]
Sent: Tuesday, May 24, 2011 2:01 PM
To: Eric Heflin
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] question on Holder fo the key

 

We have requirement for using SOAP message using SAML HOK for authentication, I agree that TLS mutual authentication CAN be part of the trust model but it is at transport layer and not at message layer (and has its own limitations).  My personal judgement is layered security and each layer serves different purpose.   I can trust A more if A can provide credential 1 & 2 but I can trust B less if he can only provide credential 1.  

Sorry, this is way out of scope, could you please point me to the correct TC group ?

Thank you very much !

Stephen



From:        Eric Heflin <eheflin@medicity.com>
To:        "Cantor, Scott E." <cantor.2@osu.edu>, "swu@axolotl.com" <swu@axolotl.com>
Cc:        "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Date:        05/24/2011 10:41 AM
Subject:        RE: [saml-dev] question on Holder fo the key





Also, wouldn't the "bearer" SubjectConfirmation method be a closer match to these requirements than "holder-of-key"?

Eric Heflin
Dir of Standards and Interoperability
Medicity
THE Standard for Meaningful HIE.      
www.medicity.com
801.415.2672 (o)
801.674.2313 (m)
eheflin (Skype)

-----Original Message-----
From: Cantor, Scott E. [
mailto:cantor.2@osu.edu]
Sent: Tuesday, May 24, 2011 11:24 AM
To: swu@axolotl.com
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] question on Holder fo the key

On 5/24/11 1:20 PM, "swu@axolotl.com" <swu@axolotl.com> wrote:

>I guess then my question would be how
>would SAML establish trust relationship in HOK case if no certificate
>is included (neither from IdP nor Client).

Out of scope.

And for the record, if you establish trust based on the certificate directly, you probably wouldn't need SAML.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]