RE: [security-services] Drafts for review: Kerberos & SAML profiles

["Scott Cantor" <cantor.2@osu.edu>]

Josh Howlett wrote on 2009-08-07:
> Just to check my understanding, am I correct in thinking that this is
> intended to satisfy the following: (SAMLCore, 3.3.2.3 Element
> <AttributeQuery>)
> 
> "If a given <saml:Attribute> element contains one or more
> <saml:AttributeValue> elements, then if that attribute is returned in
> the response, it MUST NOT contain any values that are not equal to the
> values specified in the query."

Yes. If you have to define equality differently from some kind of (implied)
XML comparison, then it has to be spelled out in the attribute's definition.

> That's an interesting idea. It certainly seems simpler than grafting
> Kerberos onto the HoK AP. Are there are any reasons why we would not
> want to do this?

I think it relates more than anything else to the WSS SAML token profile,
and given that I think that document probably needs to be revisited anyway,
I'm not sure I care at this point.

From my perspective, it was never supposed to be the case that everything in
the world that wasn't Bearer would get turned into HoK just by burying
information in KeyInfo. The term "key" is broad enough, certainly, but I
don't see that there's a lot to be gained by hiding the fact that it's
Kerberos.

I guess what bothered me is that the principal name really isn't a key name,
and to the extent that you think of the principal name as representing the
principal's secret key, that isn't actually the key being proved here,
right? It's the session key in the ticket being used to prove possession.

-- Scott