OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Fwd: suggestion for holder of key profile


On Tue, Nov 18, 2008 at 9:41 AM, Peter Sylvester
<Peter.Sylvester@edelweb.fr> wrote:
>
> Tom Scavo wrote:
>>
>> Peter, this is a resend.  Tom
>>
>> ---------- Forwarded message ----------
>> From: Tom Scavo <trscavo@gmail.com>
>> Date: Thu, Nov 13, 2008 at 7:48 PM
>> Subject: Re: suggestion for holder of key profile
>> To: Peter Sylvester <Peter.Sylvester@edelweb.fr>
>>
>> Hi Peter,
>>
>> 1. I would like to acknowledge your contributions in the next revision
>> of the HoK Assertion Profile.  What affiliation would you like me to
>> use?
>
> Peter Sylvester  - EdelWeb

I'll include this in the next version of the HoK Assertion Profile, thanks.

>> 2. From now on, would you mind submitting comments via the normal
>> OASIS comment process?
>>
>> http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=security
>
> I could

Thanks.  I'm helping here by cc'ing security-services-comment :-)

>> 3. Your example below is syntactically legal, but I don't understand
>> what it buys us.  How do these extensions facilitate holder-of-key
>> subject confirmation?
>
> The idea is to avoid applications to know how to extract 'identities'
> which can be encoded in extensions as for example microsofts UPN
> or some permanent identifier, etc. email address, web servcer host name.

I don't see how that helps.  Suppose the SAML issuer parses the X.509
certificate in its possession and binds the subject DN in the
certificate to the <saml:SubjectConfirmation> element.  Then the RP
must also parse the X.509 certificate and verify that the subject DN
in the certificate is the same as the DN bound to the assertion.  As
far as I can tell, it doesn't help to bind additional elements to the
<saml:SubjectConfirmation> element

>> Something along these lines was recently suggested to the SSTC.  It
>> was agreed (in principle) that an X.509 certificate might be used as
>> the value of NameID (BaseID, actually, since that is a natural
>> extension point).  It seems like that's what you're driving at here.
>
> Not exactly. The whole X509 cert is not IMO an identifier for an entity.
> There are identifiers inside the certficate, and the logic to extract them
> is not always easy to deploy in applications. Having NameIds as a
> kind of 'alias' seems at least useful to me to simplify the work of
> an application, since you actually get the 'alias' as a Nameid 'string
> identified by some type, and that is much easier to parse than the
> various forms of a subjectAltName extension.
>
> in the example below, some of the NameIds seem to be inside
> the DN, but the real place in the certficate are a subjectAltName.

There is nothing the SAML issuer can bind to the assertion (except the
entire certificate) that precludes the RP from parsing the X.509
certificate.

>> 4. The HoK Assertion Profile will be going to Public Review soon and I
>> look forward to your comments.
>
> Good.
>
> The second proposal was about the validity dates of the certificate.

The profile doesn't care if the certificate is time-valid.  If the
SAML issuer binds the entire certificate to the assertion
(<ds:X509Certificate>), and the certificate possessed by the RP
matches the certificate in the assertion, then the subject is
confirmed.

Relating this to the HoK Web Browser Profile, if both the SAML issuer
and the RP obtain the same certificate via the TLS exchange, and the
presenter proves possession of the corresponding private key in both
cases, then the RP can conclude that one-and-the-same presenter was
involved in *both* transactions.

Tom

>> On Wed, Nov 5, 2008 at 12:51 PM, Peter Sylvester
>> <Peter.Sylvester@edelweb.fr> wrote:
>>
>>> Tom Scavo wrote:
>>>
>>>> Hi Peter,
>>>>
>>>> Just a note to let you know I haven't forgotten about this.  I'll
>>>> respond just as soon as I can.
>>>
>>> no problem, take your time. I have an example here (handmade)
>>> The names are actually encoded in a subjectAltName and in
>>> the serialNumber in an otherName permanentIdentifier and there
>>> is also a microsoft UPN, for which I misused the OID so far.
>>>
>>> The nameIds are not extracted from the subjectName
>>>
>>>
>>> <ds:X509Data>
>>> <ds:X509IssuerSerial>
>>>  <ds:X509IssuerName>CN=SG Mardi Gras CA,O=GROUPE SOCIETE
>>> GENERALE</ds:X509IssuerName>
>>>  <ds:X509SerialNumber>4711</ds:X509SerialNumber>
>>> </ds:X509IssuerSerial>
>>>
>>> <ds:X509SubjectName>dnQualifier=X4711:CARNEVAL,emailAddress=peter.sylvester@socgen.com,CN=Peter
>>> Sylvester,UID=X4711,serialNumber=ALAAF,O=GROUPE SOCIETE
>>> GENERALE</ds:X509SubjectName>
>>> <NameID Format="urn:oid:1.3.6.1.4.1.311.20.2.2">X4711@CARNEVAL</NameId>
>>> <NameID Format="urn:oid:1.2.250.1.124.5.2">X4711</NameId>
>>> <NameID Format="urn:oid:1.2.250.1.124.5.1">WONDERFUL</NameId>
>>> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
>>> Peter.Sylvester@socgen.com
>>> </NameID>
>>> <Conditions
>>>  NotBefore="2008-11-11T11:11:11"Z
>>>  NotAfter="2009-02-25T23:59:59Z" />
>>> </ds:X509Data>
>>>
>>>
>>>>
>>>> Cheers,
>>>> Tom
>>>>
>>>> On Wed, Oct 29, 2008 at 11:39 AM, Peter Sylvester
>>>> <Peter.Sylvester@edelweb.fr> wrote:
>>>>
>>>>
>>>>>
>>>>> I have a two suggestions for the holder of key profile which may be
>>>>> useful for some applications in particylar whether the cerficate is
>>>>> not returned but only a reference as X509IssuerSerial for example.
>>>>>
>>>>> - In order to permit an application to détermine the validity of a
>>>>> certificate,
>>>>>  the validity period of the certificate could be returned as a
>>>>> <saml:Conditions>
>>>>>  structure inside the X509Data.
>>>>>
>>>>> - Similar to the <ds:X509Subject> other "identifiers" could be
>>>>> returned,
>>>>>  like for example an email address (which may only be present in a
>>>>> subjectAltName).
>>>>>  In order to do this, on can simply use a <saml:NameID> with an
>>>>> appropriate
>>>>>  "Format".
>>>>>
>>>>> What do think?
>>>>> Thanks in advance for any comment.
>>>>>
>>>>> /P
>>>>>
>>>>> --
>>>>>
>>>>> <http://www.edelweb.fr>
>>>>> *Edel/W/eb*     Peter SYLVESTER
>>>>> Consultant Sécurité des Systèmes d'Information
>>>>> -----------------------------------------------------------
>>>>> EdelWeb - Groupe ON-X
>>>>> 15, quai de Dion-Bouton
>>>>> F-92816 Puteaux Cedex
>>>>> Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
>>>>> www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com
>>>>> <http://www.on-x.com>
>>>>> -----------------------------------------------------------
>>>>> To verify the message signature, see edelpki.edelweb.fr
>>>>> <http://edelpki.edelweb.fr/>
>>>>> Cela vous permet de charger le certificat de l'autorité de racine
>>>>> <http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;
>>>>> die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>>
>>> <http://www.edelweb.fr>
>>> *Edel/W/eb*     Peter SYLVESTER
>>> Consultant Sécurité des Systèmes d'Information
>>> -----------------------------------------------------------
>>> EdelWeb - Groupe ON-X
>>> 15, quai de Dion-Bouton
>>> F-92816 Puteaux Cedex
>>> Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
>>> www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com
>>> <http://www.on-x.com>
>>> -----------------------------------------------------------
>>> To verify the message signature, see edelpki.edelweb.fr
>>> <http://edelpki.edelweb.fr/>
>>> Cela vous permet de charger le certificat de l'autorité de racine
>>> <http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;
>>> die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
>>>
>>>
>>>
>>>
>>
>>
>
>
> --
>
> <http://www.edelweb.fr>
> *Edel/W/eb*     Peter SYLVESTER
> Consultant Sécurité des Systèmes d'Information
> -----------------------------------------------------------
> EdelWeb - Groupe ON-X
> 15, quai de Dion-Bouton
> F-92816 Puteaux Cedex
> Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
> www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com>
> -----------------------------------------------------------
> To verify the message signature, see edelpki.edelweb.fr
> <http://edelpki.edelweb.fr/>
> Cela vous permet de charger le certificat de l'autorité de racine
> <http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;
> die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
>
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]