OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile


On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>
> What
> if I don't physically present a certificate or a key, but I login with a
> password to an account that is known out of band to be mapped to a key? I
> should still be able to issue a HoK assertion.

Yes, that's a very good point.  In fact, it exposes a flaw in the
current profile: an issued <saml:SubjectConfirmation> element must
include a timestamp.  Since the <saml:SubjectConfirmationData> element
is extensible, this is fairly easy:

<saml:SubjectConfirmation
  Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
  <saml:SubjectConfirmationData
    xsi:type="saml:KeyInfoConfirmationDataType"
    xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key"
    hok:ProofInstant="2008-08-08T18:01:27.712Z">
    <ds:KeyInfo>
      <ds:X509Data>
        <!-- X.509 data here -->
      </ds:X509Data>
    </ds:KeyInfo>
  </saml:SubjectConfirmationData>
</saml:SubjectConfirmation>

In the same way that ForceAuthn affects AuthnInstant, a requester can
force proof of possession by including an appropriate boolean value in
a requested <saml:SubjectConfirmation> element:

<saml:SubjectConfirmation
  Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
  <saml:SubjectConfirmationData
    xsi:type="saml:KeyInfoConfirmationDataType"
    xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key"
    hok:ForceProof="true">
    <ds:KeyInfo>
      <ds:X509Data>
        <!-- X.509 data here -->
      </ds:X509Data>
    </ds:KeyInfo>
  </saml:SubjectConfirmationData>
</saml:SubjectConfirmation>

Unless there are objections, I'll include these requirements (and
schema) in the next version of the HoK Assertion Profile.

Thanks,
Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]