[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML2 Holder-of-Key Assertion Profile
I think that ProofInstant is redundant and mist-named. At the very least it should be ProofOnOrAfter rather than ProofInstant. In any case, the normal interpretation for SubjectConfirmation is that the proof (for holder of key) is done at the time of the presentation of the assertion, not some days or months ago. I see no need for SAML to go into details in this area other than a recommendation to that effect (the relying party can make their own security determination as to whether or not to live with that recommendation). So, my $.02 is that you don't need ProofInstant. Conor -----Original Message----- From: Tom Scavo [mailto:trscavo@gmail.com] Sent: Sunday, August 17, 2008 6:26 PM To: Scott Cantor Cc: OASIS SSTC Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > What > if I don't physically present a certificate or a key, but I login with a > password to an account that is known out of band to be mapped to a key? I > should still be able to issue a HoK assertion. Yes, that's a very good point. In fact, it exposes a flaw in the current profile: an issued <saml:SubjectConfirmation> element must include a timestamp. Since the <saml:SubjectConfirmationData> element is extensible, this is fairly easy: <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType" xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key" hok:ProofInstant="2008-08-08T18:01:27.712Z"> <ds:KeyInfo> <ds:X509Data> <!-- X.509 data here --> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> In the same way that ForceAuthn affects AuthnInstant, a requester can force proof of possession by including an appropriate boolean value in a requested <saml:SubjectConfirmation> element: <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType" xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key" hok:ForceProof="true"> <ds:KeyInfo> <ds:X509Data> <!-- X.509 data here --> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> Unless there are objections, I'll include these requirements (and schema) in the next version of the HoK Assertion Profile. Thanks, Tom --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]