OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services-comment] Re: [saml-dev] SAML Holder of Key Profile


> Yes, I know.  I'm realizing how hard it is to write a profile with no
> protocol flow :-)  Even your choice of words above ("in advance of"
> and "ahead of time") hint of a flow embedded in time.

Well, SubjectConfirmation by its nature is an active event in response to
something, so it's difficult to isolate, but I think it's just a question of
stating assumptions, and most of them are implicit in any use of
SubjectConfirmation.

> 3) The relying party possesses an X.509 certificate known to be
> associated with the target attesting entity (who may or may not be
> present)

This holds at the IdP, but not the relying party. By definition, the
attesting entity must be present because that's what an attesting entity is.
To explain how to process SubjectConfirmation, you have to assume the entity
attempting to satisfy is presenting the assertion as part of a process.

Maybe I don't follow what you mean by "target" there?

> I agree, but exactly what are you proposing with respect to the HoK
> Assertion Profile?  Are you suggesting that we provide a typical usage
> scenario to help ground the reader (or mislead the reader, as the case
> may be).

No, not really, I'm suggesting it be aligned with the technical language in
the core specification and some of the subsequent work in which
SubjectConfirmation assumes:

- somebody is presenting the assertion and attesting to the identity in the
subject
- the subject confirmation specifies (loosely in core) how that test is
performed

So the attesting entity is present by definition. It presents the assertion
by definition. Based on your profile, you have processing rules that
indicate what the test is. After that, success implies that the attestation
is valid, the attesting entity is the subject for the purposes of the
asserting party.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]