OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss-dev] SAML token and holder of key.

That's right.

Giuseppe Sarno wrote:

>Hi,
>Does this mean that for my Web service provider the Subject confirmation
>is not enough,
>and I also need a issuer Certificate or key ?
>
>Thanks.
>Giuseppe.
>
>-----Original Message-----
>From: Vishal Mahajan [mailto:vmahajan@amberpoint.com] 
>Sent: 08 December 2005 11:34
>To: Sarno, Giuseppe [MOP:GM15:EXCH]
>Cc: wss-dev@lists.oasis-open.org
>Subject: Re: [wss-dev] SAML token and holder of key.
>
>
>Typically an HOK assertion would be protected for integrity by its 
>issuer, so replacing the public key wouldn't be possible. The issuer of 
>an HOK assertion typically signs the assertion in an enveloped-signature
>
>manner.
>
>Vishal
>
>Giuseppe Sarno wrote:
>
>  
>
>>If I put a Public Key in the SubjectConfirmation and used my Private 
>>Key to create the <ds:Signature> element wouldn't this be opent to MITM
>>    
>>
>
>  
>
>>attack ? I mean the attacker could chane the PublicKey as well as using
>>    
>>
>
>  
>
>>his private key to sign the message. To avoid this shouldn't a 
>>Certificate (509) in the Subject confirmation be a better option ? 
>>(without considering out of band agreement). Continuing on this why 
>>then the Spec say on page 28 that the holder of key is not vulnerable 
>>to MITM attack ?
>>What I'm missing ?
>>
>>Thanks.
>>Giuseppe.
>>
>> 
>>
>>    
>>
>
>
>
>
>---------------------------------------------------------------------
>This publicly archived list supports open discussion on implementing the WSS OASIS Standard. To minimize spam in the
>archives, you must subscribe before posting.
>
>[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>Alternately, using email: list-[un]subscribe@lists.oasis-open.org
>List archives: http://lists.oasis-open.org/archives/wss-dev/
>Committee homepage: http://www.oasis-open.org/committees/wss/
>List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>Join OASIS: http://www.oasis-open.org/join/
>
>
>  
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]