[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss-dev] SAML token and holder of key.
Hi, Does this mean that for my Web service provider the Subject confirmation is not enough, and I also need a issuer Certificate or key ? Thanks. Giuseppe. -----Original Message----- From: Vishal Mahajan [mailto:vmahajan@amberpoint.com] Sent: 08 December 2005 11:34 To: Sarno, Giuseppe [MOP:GM15:EXCH] Cc: wss-dev@lists.oasis-open.org Subject: Re: [wss-dev] SAML token and holder of key. Typically an HOK assertion would be protected for integrity by its issuer, so replacing the public key wouldn't be possible. The issuer of an HOK assertion typically signs the assertion in an enveloped-signature manner. Vishal Giuseppe Sarno wrote: >If I put a Public Key in the SubjectConfirmation and used my Private >Key to create the <ds:Signature> element wouldn't this be opent to MITM >attack ? I mean the attacker could chane the PublicKey as well as using >his private key to sign the message. To avoid this shouldn't a >Certificate (509) in the Subject confirmation be a better option ? >(without considering out of band agreement). Continuing on this why >then the Spec say on page 28 that the holder of key is not vulnerable >to MITM attack ? >What I'm missing ? > >Thanks. >Giuseppe. > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]