security-bindings message

Subject: RE: What use is SenderVouches? (was RE: [security-bindings] SOAP Profile draft)

From: "Mishra, Prateek" <pmishra@netegrity.com>
To: 'Irving Reid' <Irving.Reid@baltimore.com>,"'security-bindings@lists.oasis-open.org'"<security-bindings@lists.oasis-open.org>,"'blakley@us.tivoli.com'" <blakley@us.tivoli.com>
Date: Wed, 24 Oct 2001 16:25:55 -0400

Irving,

The core issue is: a subject "delivers" to a trusted server 
a few assertions which the server attaches to a business
payload through a signing act. 

Question: What should the <ConfirmationMethod>
in the assertions be set to??

Now, I would argue that there are two positions that are
reasonable here:

(1) The above flow is out of scope of SAML 1.0 because of ....
[I disagree with this assumption but I can see a viewpoint
in this direction....]

(2) We need some kind of token for the <ConfirmationMethod>
so that the receiver can say: aha! I am not going to get any 
more information from the assertion or the sender
about how the assertion came
to be in the possession of the sender. Instead, I should 
figure out who the sender is (using the sender signature)
and whether I believe that I trust the sender to attach these assertions to
a business payload.

This is all the "SenderVouches" proposal expresses in the
concrete context of XML messaging. 


>>I still don't see what the value of this is. As far as I can 
>>tell, when an
>>issuer creates an assertion containing
>><SubjectConfirmation>SenderVouches</SubjectConfirmation>, 
>>what they are
>>saying is:
>>
>>The way you can tell if this assertion applies to a given 
>>message, is that
>>the sender of the message attached this assertion to the message.
>>
>>In other words, the assertion applies to the message because 
>>the sender says
>>so. Presumably, the sender attached the assertion to the 
>>message because the
>>sender intended to indicate that the assertion is relevant to 
>>the message.
>>

[Prateek] As I stated above, there is also an implication here
that the RP is NOT going get any other information about 
authenticating the subject. In other words, we are warning the
RP: process this message in the context of the attached assertions
ONLY if you believe the sender has the right to attach them.

>>Now, what does it mean for a sender to attach an assertion to 
>>a message,
>>when the assertion in question is _not_ marked SenderVouches? 
>>I argue that
>>it means exactly the same thing: the sender attached the assertion to
>>indicate that the assertion is relevant.

[Prateek]

Well, lets get concrete: What is the <ConfirmationMethod> element
set to in your proposal above?

>>
>>I can't think of any circumstance where the SenderVouches 
>>marker actually
>>adds value. I think it should be dropped.
>>
 >>

[Prateek] I would be overjoyed to drop it BUT I want to be
sure we capture various simple flows relating to XML messaging!
My current belief is that SenderVouches plays a small but
concrete role in this space.


- prateek