RE: [security-services] Adding channel bindings to signed SAMLRequests

[Thomas Hardjono <hardjono@MIT.EDU>]

Hi Scott,

I was always under the impression that one advantage of SAML (un-CB) was that the signed SAML assertions are independent objects, regardless of underlying transport.

However, I do see that in some cases having proof of binding to a transport like TLS is required.

Hmmm, not to open a can of worms, but could I then use the SAML Request/Response (with CB) to build a key-negotiation protocol for a higher layer app?

/thomas/

__________________________________________


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Tuesday, September 07, 2010 4:30 PM
> To: 'Josh Howlett'
> Cc: security-services@lists.oasis-open.org
> Subject: RE: [security-services] Adding channel bindings to signed SAML
> Requests
> 
> > > Am I missing something, or is this reasonable?
> >
> > FWIW it sounds reasonable to me. I'd been having similar thoughts
> > myself... whether one could attach a <SubjectConfirmation> to the
> > protocol message, with a newly defined SC method whose
> > <SubjectConfirmationData> provides the CB data as you've described.
> 
> It wouldn't work at the protocol level, because SC is an assertion-
> specific concept, but even though extensions are optional, they can
> still be required by deployments, or servers can change their behavior
> based on them.
> 
> > It's not a great fit, as SAML Subject Confirmation is explicitly
> > scoped to "the correspondence of the subject of the assertion", but
> > there might be some value in this re-use.
> 
> I think SC confuses people enough without overloading its meaning.
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php