[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss-dev] SAML token and holder of key.
Hi Thanks,
Just to clarify:
1) SAML issuer provide a SubjectConfirmation with KEYINFO to sign SOAP
message.
2) SAML issuer also Signs the Assertion to protect it from tempering
with.
I guess at this point the Issuer:
2.a) wouldn't just put the Public key as done for the
SubjectConfirmation (otherwise here we go again).
2.b)The Issuer then better need to include in the Assertion keyInfo
either a certificate ( that can be verified by a CA)
2.c)Or nothing (anyway not the key) expecting the receiver to have
it stored locally.
Does this make sense ?
I mean My assumption as learnt on SSL books and internet discussion is
the MIMT can be defeated by using Certificates (which need to be double
checked with the CA) just the public key is not enough.
In my opinion the Certificate solution as mentioned above seems to be a
better solution as the Web Service Provider doesn't necessarily needs to
know about Issuer specifics as he would get the certificate in the
Assertion itself.
Any opinion on this ?
Thanks.
Giuseppe.
-----Original Message-----
From: Vishal Mahajan [mailto:vmahajan@amberpoint.com]
Sent: 08 December 2005 12:30
To: Sarno, Giuseppe [MOP:GM15:EXCH]
Cc: wss-dev@lists.oasis-open.org
Subject: Re: [wss-dev] SAML token and holder of key.
That's right.
Giuseppe Sarno wrote:
Hi,
Does this mean that for my Web service provider the Subject confirmation
is not enough,
and I also need a issuer Certificate or key ?
Thanks.
Giuseppe.
-----Original Message-----
From: Vishal Mahajan [mailto:vmahajan@amberpoint.com]
Sent: 08 December 2005 11:34
To: Sarno, Giuseppe [MOP:GM15:EXCH]
Cc: wss-dev@lists.oasis-open.org
Subject: Re: [wss-dev] SAML token and holder of key.
Typically an HOK assertion would be protected for integrity by its
issuer, so replacing the public key wouldn't be possible. The issuer of
an HOK assertion typically signs the assertion in an enveloped-signature
manner.
Vishal
Giuseppe Sarno wrote:
If I put a Public Key in the SubjectConfirmation and used my Private
Key to create the <ds:Signature> element wouldn't this be opent to MITM
attack ? I mean the attacker could chane the PublicKey as well as using
his private key to sign the message. To avoid this shouldn't a
Certificate (509) in the Subject confirmation be a better option ?
(without considering out of band agreement). Continuing on this why
then the Spec say on page 28 that the holder of key is not vulnerable
to MITM attack ?
What I'm missing ?
Thanks.
Giuseppe.
---------------------------------------------------------------------
This publicly archived list supports open discussion on implementing the
WSS OASIS Standard. To minimize spam in the
archives, you must subscribe before posting.
[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/wss-dev/
Committee homepage: http://www.oasis-open.org/committees/wss/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]