[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile
On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > What > if I don't physically present a certificate or a key, but I login with a > password to an account that is known out of band to be mapped to a key? I > should still be able to issue a HoK assertion. Good point. > Separately, I would continue to argue that the profile would be better if it > forced a consistent key-based processing model. If I put a certificate into > the assertion, I want to be able to confirm that assertion with that key, > period. The fact that other syntaxes can also be used doesn't change the > value of that processing rule, because of the ubiquity and convenience of > certificates. I argue that there is no value in forcing certificate > equality, and advantages to not doing so. Consistency across the different > syntaxes, for one. I agree this is one of two open issues (the other is conformance). If a key-based processing model doesn't otherwise detract from a PKI (if one happens to exist), I could support it. I'm not yet convinced that's the case, however, which is why I proposed a natural processing model based on the particular X.509 data item bound to the assertion. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]