OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: issues with sstc-saml2-holder-of-key-draft-02

On Mon, Aug 25, 2008 at 11:26 AM, Tom Scavo <trscavo@gmail.com> wrote:
> For the purposes of discussion, this is a brief summary of the open
> issues regarding the "SAML V2.0 Holder-of-Key Assertion Profile":
>
> http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation

I've recently uploaded draft-03, including a diff.

> 1. Should the non-normative Background section (2.2) be eliminated (or
> significantly pared down)?

The "Background" section has been changed to "Profile Description" and
has been trimmed.

> 2. The following two normative requirements are specified:
>
> i) The presenter MUST present an X.509 public key certificate
> ii) The presenter MUST prove possession of the corresponding private key
>
> Should these requirements be removed from the profile?

These requirements have been removed.  In draft-03, there is no
mention of a presenter or the act of proving possession of a private
key.  All that remains is the mere existence of an X.509 certificate.
How an issuer or relying party obtains the certificate is out of
scope.

> 3. Is there a need for a ProofInstant attribute (analogous to AuthnInstant)?

Although I think there may be a need, no such attribute was added
(since it would require a discussion of the proof of possession step,
which has been removed).

> 4. How should a relying party process ds:X509Certificate, by comparing
> certificates (byte for byte) or comparing keys?

A "relying party MUST confirm that the DER-encoded certificate bound
to the assertion matches the X.509 certificate...by comparing the
certificates, or the hash values of the certificates, byte-for-byte."

> 5. What are the conformance requirements?  (Currently,
> ds:X509Certificate and ds:X509SKI are specified as required to
> implement.)

The conformance requirements have been simplified so that
<ds:X509Certificate> is mandatory to implement by both the issuer and
the relying party.  However, it may be desirable to require the issuer
to support all four elements (<ds:X509Certificate>, <ds:X509SKI>,
<ds:X509SubjectName>, and <ds:X509IssuerSerial>).  I'll leave this
open to discussion.

Tom

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]