Re: [saml-dev] SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune against man-in-the-middle attack

[Tom Scavo <trscavo@gmail.com>]

On Mon, Apr 27, 2009 at 9:45 AM, Scott Cantor <cantor.2@osu.edu> wrote:
> Tom Scavo wrote on 2009-04-27:
>> "Suppose a SAML issuer wishes to issue a response containing one or
>> more holder-of-key assertions. As a prerequisite, the SAML issuer MUST
>> possess an X.509 certificate known to be associated with the
>> attesting entity."
>
> I would phrase it as "public key" rather than "certificate", but yes.

Well, the HoK Assertion Profile is in Public Review as well, so we can
certainly change the wording if we think that's best, but I wonder if
we shouldn't leave it as it is?  I took the above quote out of context
(obviously) but if you go back, read the spec, and refresh your
memory, I think you'll find that a certificate is in fact what's
required throughout, at least given how the spec is written now.

>> Not to mince words but I think this should be "a protocol establishing
>> proof of possession of a *known* key".
>
> Agreed, I was imprecise. I was only pushing back on the notion that any
> concept such as "officialness" was involved. A Formal PKI is NOT a
> requirement to prevent MITM.

Agreed.

Thanks,
Tom