[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Question on X509 Authn-based Attr Sharing Profile
> Scott, can you elaborate on your point about "Metadata is > only likely way ..." Were you suggesting one could use > metadata to map user entities (key names) to their certs? No, I didn't mean metadata is the *only* way (it's just one way of doing OOB key exchange), and no, I didn't mean it applied to this particular case, just that it's an example of a mechanism where keys might be exchanged OOB of SAML assertions but the assertion might still contain a cert and not just a KeyName. Signed assertions, for example, typically have the signing cert in them, but the actual exchange of the key could still be OOB. So when you asked is it OOB (KeyName), I was trying to say OOB != KeyName to me. What is the typical content of ds:KeyInfo with holder-of-key today? SAML 2.0 hasn't changed anything, apart from acknowledging that ownership of the key is different from "being the subject". -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]