OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Proposed Agenda for SSTC Conference Call,Dec 23



Scott Cantor wrote:

>>Note that the WSS SAML token profile describes how assertions
>>may be chained such that SAML assertions (and other types of
>>security tokens) referenced (by STR) from the  confirmation
>>method of an assertion may be used to identify additional subjects
>>(i.e. proxies) as part of the confirmation method sepcification of an
>>assertion.
>>    
>>
>
>This point is actually a bit more relevant to the work item on SSO proxying
>(proxies are really just an optional implementation detail of the LECP work
>item).
>
Scott,

I see. It looks like I was reading more into the proxying functionality 
defined by LECP.

>But note that this model of incoporating existing SAML tokens by reference
>as subject confirmation is fundamentally unusable in deployments with
>privacy-preserving identifiers. You can't expose the principal's identifier
>to the new relying party in the chain, and you can't encrypt it without
>breaking the signature.
>  
>
I understand. The mechanism I described could be used by the intermediate to
proxy for the invocation subject presented to the ultimate relying party.

The principal identifier of the invocation subject seen by some other 
SSO related
relying party (including the intermediate) need not be exposed as a 
result of
authorizing the intermediate as proxy for the identifier presented to the
downstream relying party.

If the assertion presented to the intermediate identifies a principal that
must not be shown/known to the downstream relying party, then the 
intermediate will
have to acquire or issue a new assertion with an appropriate invocation 
subject
identity.

I know I am not following the subtleties of this thread. I just wanted 
to point out that
SAML-authority authorized proxying is a feature that the SAML token 
profile of
WS-security accommodates (in addition to the basic sender-vouches 
mechanism).

Ron

>-- Scott
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
>
>  
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]