OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] SAML2 Holder-of-Key Assertion Profile


I think that ProofInstant is redundant and mist-named.  At the very
least it should be ProofOnOrAfter rather than ProofInstant.

In any case, the normal interpretation for SubjectConfirmation is that
the proof (for holder of key) is done at the time of the presentation of
the assertion, not some days or months ago.  I see no need for SAML to
go into details in this area other than a recommendation to that effect
(the relying party can make their own security determination as to
whether or not to live with that recommendation).  

So, my $.02 is that you don't need ProofInstant.

Conor  

-----Original Message-----
From: Tom Scavo [mailto:trscavo@gmail.com] 
Sent: Sunday, August 17, 2008 6:26 PM
To: Scott Cantor
Cc: OASIS SSTC
Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile

On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>
> What
> if I don't physically present a certificate or a key, but I login with
a
> password to an account that is known out of band to be mapped to a
key? I
> should still be able to issue a HoK assertion.

Yes, that's a very good point.  In fact, it exposes a flaw in the
current profile: an issued <saml:SubjectConfirmation> element must
include a timestamp.  Since the <saml:SubjectConfirmationData> element
is extensible, this is fairly easy:

<saml:SubjectConfirmation
  Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
  <saml:SubjectConfirmationData
    xsi:type="saml:KeyInfoConfirmationDataType"
    xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key"
    hok:ProofInstant="2008-08-08T18:01:27.712Z">
    <ds:KeyInfo>
      <ds:X509Data>
        <!-- X.509 data here -->
      </ds:X509Data>
    </ds:KeyInfo>
  </saml:SubjectConfirmationData>
</saml:SubjectConfirmation>

In the same way that ForceAuthn affects AuthnInstant, a requester can
force proof of possession by including an appropriate boolean value in
a requested <saml:SubjectConfirmation> element:

<saml:SubjectConfirmation
  Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
  <saml:SubjectConfirmationData
    xsi:type="saml:KeyInfoConfirmationDataType"
    xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key"
    hok:ForceProof="true">
    <ds:KeyInfo>
      <ds:X509Data>
        <!-- X.509 data here -->
      </ds:X509Data>
    </ds:KeyInfo>
  </saml:SubjectConfirmationData>
</saml:SubjectConfirmation>

Unless there are objections, I'll include these requirements (and
schema) in the next version of the HoK Assertion Profile.

Thanks,
Tom

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]