OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] RE: [security-services-comment] Specifying Issuer(vs. Subject)

Title: RE: [security-services-comment] Specifying Issuer (vs. Subject)

In the case of both Subject and Issuer, it is necessary to confirm that the information refers to or is asserted by, the party in question.

However, SAML assumes that an Issuer will either digitally sign the assertion or will use some means outside of SAML (e.g. TLS session, physically secure network) to provide the Relying Party with assurance that the Assertion is authentic.

In contrast, since SAML encompasses so many different usages, it was felt necessary to specify a wide variety of means for confirming the correspondence between a party to some network interaction and the Subject of the Assertion. For this reason a variety of subject confirmation methods have been specifed. If SAML assumed, as for example, PKIX does, that a subject would always confirm its identity with a PK signature, then you would see the same symmetry as in a PKI certificate.

Regards,

Hal

> -----Original Message-----
> From: Amir Herzberg <amir@beesites.co.il>
> Sent: Mon, 18 Feb 2002 10:15:28 +0200
> To: security-services-comment@lists.oasis-open.org
> Subject: [security-services-comment] Specifying Issuer (vs. Subject)
>
>
> Hi, I'm not a member in the WG so let me see if this comment
> list is actually active. Here is a comment/question regarding
> draft-sstc-core-25, version of Jan. 10th 2002.
>

>
> I noticed that there is a strong a-symmetry between the
> encoding of Issuer vs. Subject information. The Subject
> information is well specified in SubjectStatement element
> (with subelements for name and confirmation, e.g. key). But
> it seems to me that Issuer should be specified only by name,
> as a mandatory attribute of <Assertion> element. Am I right?
> Why is this? I can explain why there may be situations where
> we may want more or different ways to identify the issuer (in
> particular, to identify the method to confirm the issuer,
> e.g. public key, can be very important).
>

>
> Regards,
>

>
> Amir Herzberg
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC