[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss-dev] SAML token and holder of key.
Typically an HOK assertion would be protected for integrity by its issuer, so replacing the public key wouldn't be possible. The issuer of an HOK assertion typically signs the assertion in an enveloped-signature manner. Vishal Giuseppe Sarno wrote: >If I put a Public Key in the SubjectConfirmation and used my Private Key >to create the <ds:Signature> element wouldn't this be opent to MITM >attack ? I mean the attacker could chane the PublicKey as well as using >his private key to sign the message. >To avoid this shouldn't a Certificate (509) in the Subject confirmation >be a better option ? (without considering out of band agreement). >Continuing on this why then the Spec say on page 28 that the holder of >key is not vulnerable to MITM attack ? >What I'm missing ? > >Thanks. >Giuseppe. > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]