OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services-comment] Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile

Scott Cantor wrote:
>> The introduction could mention something about that an X.509 cert has
>> two purpuses:
>>     
>
> It's not our job to define the purpose of X.509 certificates, and nobody
> would agree if we tried. I certainly don't agree with yours, for example.
> There's no such thing as a "global" identity.
>   
Right. "global" was not the right word.  I intended only to say
the subjectDN non-ambiguously identifies an entity (in some
space at some time).

>   
>> My initial question was for a feature to return additional
>> identifier of the "subject" for example in the way outlined below.
>>     
>
> That would be an incorrect use of SubjectConfirmation. If you want to pull
> something out of the certificate to use as the subject, you can do so, but
> do it in the assertion subject, not there.
>   
I agree that the SPprovidedID seems to be a place, but it doesn't work 
well, if
you have several ids that you want to process.

If the syntax would be a choice off string and sequence of NameId, ok.
The case is that a serviceprovider may use several of the possible 
identifiers,
an email, a global company id, etc.

Thus, for the moment I was suggesting to cnosider the following:

Can't "Additional data that allows the subject to be confirmed" be 
interpreted
as 'The subject is confirmed because according to our policy, we were
successfully able to determine the following additional identifiers which
are represented in the form of NameId' which we include in the 
SubjectConfirmation"
?

maybe it is outside the scope of the document.
> -- Scott
>
>
>
>   


-- 

<http://www.edelweb.fr>
*Edel/W/eb* 	Peter SYLVESTER
Consultant Sécurité des Systèmes d'Information
-----------------------------------------------------------
EdelWeb - Groupe ON-X
15, quai de Dion-Bouton
F-92816 Puteaux Cedex
Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com>
-----------------------------------------------------------
To verify the message signature, see edelpki.edelweb.fr 
<http://edelpki.edelweb.fr/>
Cela vous permet de charger le certificat de l'autorité de racine 
<http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

S/MIME Cryptographic Signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]