[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] question on Holder fo the key
SAML HOK says that the sender must prove possession of a key, it does not specify exactly how that proof of possession takes place. In Liberty’s ID-WSF we defined two security mechanisms for SAML HOK: One which the key is proven via transport layer and one where the key is proven by a signed message (signature being in the WS-Security header). Both are valid from a SAML point of view, but they are not equivalent from a features/performance point of view. For example, generally speaking, if you’re sending multiple messages on the same transport layer connect, it will be cheaper (computationally) to use the transport layer to prove possession of the key. The downside of this choice is that this eliminates the ability to prove who sent the message since there is no per-message signatures or to allow multiple senders of messages on the same transport connection. Signing individual messages with an asymmetric key keeps the proof of key within the data layer, while also allowing the messages to be preserved and usable as a proof of message (for non-repudiation at some point in the future) but at substantial cost on the client and especially on the server (a canonicalization and PKI operation for every message). So, you need to select the mechanism that fits with your requirements. If you want more information on the Liberty discussion in this area you can take a look at the Liberty ID-WSF Security Mechanisms specification. Conor From: swu@axolotl.com [mailto:swu@axolotl.com] We have requirement for using SOAP message using SAML HOK for authentication, I agree that TLS mutual authentication CAN be part of the trust model but it is at transport layer and not at message layer (and has its own limitations). My personal judgement is layered security and each layer serves different purpose. I can trust A more if A can provide credential 1 & 2 but I can trust B less if he can only provide credential 1.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]