Re: [security-services] SAML2 Holder-of-Key Assertion Profile

["Tom Scavo" <trscavo@gmail.com>]

On Sun, Aug 17, 2008 at 7:43 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>
> My inclination is to say that you're talking about something that belongs in
> AuthnContext, though, since you were responding to something I wrote about
> how authentication occurs.

Well, I thought you were talking about binding X.509 data to a
SubjectConfirmation element based on a proof of possession in the
past.

> Why is this any different than AuthnInstant?

The act of authentication and the proof of possession are separate
processes in general.  Not unlike basing an authentication on an
existing security context, I thought you were suggesting that a
holder-of-key SubjectConfirmation element might be based on a previous
proof of possession.

Maybe I was reading too much into your remarks.  If so, that's fine,
since the use case doesn't seem to be awfully compelling anyway.

> And
> before you ask "what if there is no AuthnStatement?", my response would be
> "there should be if you care about this".

Yes, there is an AuthnStatement but not in this "assertion profile."
It is specified in the next profile that begins to flesh out the
protocol exchange that results in a HoK assertion.

Tom