[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] HolderOfKey and SenderVouches are slipping thruthe cracks(!)
An apparent side-effect of our placing the responsibility for defining ConfirmationMethod identifiers with SAML profiles and bindings is having the HolderOfKey and SenderVouches ConfirmationMethods sort of disappear. The are not mentioned in Prateek's proposed changes to bindings-model-13... Proposed changes to bindings-13 to includedefinition of SAML Confirmation Method identifiers http://lists.oasis-open.org/archives/security-services/200204/msg00013.html Note that we explicitly listed them among the four ConfirmationMethods we felt we wanted to retain.. Minutes for Focus Group Telecon Tue 2-Apr -2002 http://lists.oasis-open.org/archives/security-services/200204/msg00007.html > Presently defined & employed ConfirmationMethods (and attendant > SubjectConfirmationData values) will be defined in appropriate places in the > subsequent version of bindings-model-xx, and it'll also have a (sub)section > summarizing the presently defined & employed ConfirmationMethods... > holderOfKey > bearer > sender vouches > artifact This situation is likely due to there not being an obvious place in bindings-model-13 to define holderOfKey and SenderVouches. Additionally, we'd agreed that there ought to be a summary section (appendix?) that lists all the ConfirmationMethods defined in the spec. A proposal to solve this is to concot a short, specific subsection of section 3 "Bindings" (3.2, say) along the lines of.. 3.2 ConfirmationMethod Identifiers Assertions returned by SAML responders in response to any SAML requests MAY contain ConfirmationMethod identifiers defined in this subsection, or MAY contain ConfirmationMethod identifiers defined elsewhere in this specification (e.g. in profiles), or MAY contain ConfirmationMethod identifiers defined in other specification or by private agreement. Use and interpretation of ConfirmationMethod identifiers is profile- or application-specific. See 3.2.1 Holder of Key: URI: urn:oasis:names:tc:SAML:1.0:cm:Holder-Of-Key <ds:KeyInfo>: Any cryptographic key The subject of the assertion is the party that can demonstrate that it is the holder of the private component of the key specified in <ds:KeyInfo> of the enclosing <SubjectConfirmation> element. 3.2.2 Sender Vouches: URI: urn:oasis:names:tc:SAML:1.0:cm:sender-vouches Indicates that no other information is available about the context of use of the assertion. The Relying party SHOULD utilize other means to determine if it should process the assertion further. ...and add this appendix near the end of the spec.... X Appendix: ConfirmationMethods summary These confirmation methods are defined in this specificaiton: Identifier See section ---------- ----------- urn:oasis:names:tc:SAML:1.0:cm:Holder-Of-Key 3.2.1 urn:oasis:names:tc:SAML:1.0:cm:sender-vouches 3.2.2 urn:oasis:names:tc:SAML:1.0:cm:Artifact-01 4.1.1.1 urn:oasis:names:tc:SAML:1.0:cm:Bearer 4.1.2.1 ----- JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC