OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss-dev] SAML token and holder of key.

Typically an HOK assertion would be protected for integrity by its 
issuer, so replacing the public key wouldn't be possible. The issuer of 
an HOK assertion typically signs the assertion in an enveloped-signature 
manner.

Vishal

Giuseppe Sarno wrote:

>If I put a Public Key in the SubjectConfirmation and used my Private Key
>to create the <ds:Signature> element wouldn't this be opent to MITM
>attack ? I mean the attacker could chane the PublicKey as well as using
>his private key to sign the message. 
>To avoid this shouldn't a Certificate (509) in the Subject confirmation
>be a better option ? (without considering out of band agreement).
>Continuing on this why then the Spec say on page 28 that the holder of
>key is not vulnerable to MITM attack ?  
>What I'm missing ?
>
>Thanks.
>Giuseppe.
>
>  
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]