[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Question on X509 Authn-based Attr Sharing Profile
Thanks for the quick respones guys.
Rick, will you consider tightening up the profile to state what might be necessary in KeyInfo (e.g., KeyName that is managed OOB)?
Scott, can you elaborate on your point about "Metadata is only likely way ..." Were you suggesting one could use metadata to map user entities (key names) to their certs?
Thanks, Tom.
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Wednesday, March 09, 2005 3:53 PM
To: 'Thomas Wisniewski'; security-services@lists.oasis-open.org
Cc: 'Scott Tomilson'
Subject: RE: [security-services] Question on X509 Authn-based Attr Sharing Profile
> All, is there a place on the Saml site that describes the
> usage/validation of the subject using holder-of-key
> identifier (more detail than the SAML 2 Profile spec)?
No, I asked this earlier. It applies to WSS as well, not anything particular to SAML. What does "use a ds:KeyInfo to verify..." mean in technical terms?
If trust is out of scope (and it has been), then it means anything. So interoperability is impossible except in a few cases.
To follow up Rick's last note, I don't think saying "out of band" is enough unless the plan is to allow any use of the element, as now. If you want anything more specific, the profile has to say that.
For example, OOB doesn't imply KeyName to me. You could pass the cert, but still have the binding of cert to entity occur OOB. Metadata is one likely way, but that's OOB with respect to the SAML assertion.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]