[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services-comment] Re: [saml-dev] SAML Holder of Key Profile
> Yes, I know. I'm realizing how hard it is to write a profile with no > protocol flow :-) Even your choice of words above ("in advance of" > and "ahead of time") hint of a flow embedded in time. Well, SubjectConfirmation by its nature is an active event in response to something, so it's difficult to isolate, but I think it's just a question of stating assumptions, and most of them are implicit in any use of SubjectConfirmation. > 3) The relying party possesses an X.509 certificate known to be > associated with the target attesting entity (who may or may not be > present) This holds at the IdP, but not the relying party. By definition, the attesting entity must be present because that's what an attesting entity is. To explain how to process SubjectConfirmation, you have to assume the entity attempting to satisfy is presenting the assertion as part of a process. Maybe I don't follow what you mean by "target" there? > I agree, but exactly what are you proposing with respect to the HoK > Assertion Profile? Are you suggesting that we provide a typical usage > scenario to help ground the reader (or mislead the reader, as the case > may be). No, not really, I'm suggesting it be aligned with the technical language in the core specification and some of the subsequent work in which SubjectConfirmation assumes: - somebody is presenting the assertion and attesting to the identity in the subject - the subject confirmation specifies (loosely in core) how that test is performed So the attesting entity is present by definition. It presents the assertion by definition. Based on your profile, you have processing rules that indicate what the test is. After that, success implies that the attestation is valid, the attesting entity is the subject for the purposes of the asserting party. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]