[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss-dev] SAML token and holder of key.
Hi Thanks, Just to clarify: 1) SAML issuer provide a SubjectConfirmation with KEYINFO to sign SOAP message. 2) SAML issuer also Signs the Assertion to protect it from tempering with. I guess at this point the Issuer: 2.a) wouldn't just put the Public key as done for the SubjectConfirmation (otherwise here we go again). 2.b)The Issuer then better need to include in the Assertion keyInfo either a certificate ( that can be verified by a CA) 2.c)Or nothing (anyway not the key) expecting the receiver to have it stored locally. Does this make sense ? I mean My assumption as learnt on SSL books and internet discussion is the MIMT can be defeated by using Certificates (which need to be double checked with the CA) just the public key is not enough. In my opinion the Certificate solution as mentioned above seems to be a better solution as the Web Service Provider doesn't necessarily needs to know about Issuer specifics as he would get the certificate in the Assertion itself. Any opinion on this ? Thanks. Giuseppe. -----Original Message----- From: Vishal Mahajan [mailto:vmahajan@amberpoint.com] Sent: 08 December 2005 12:30 To: Sarno, Giuseppe [MOP:GM15:EXCH] Cc: wss-dev@lists.oasis-open.org Subject: Re: [wss-dev] SAML token and holder of key. That's right. Giuseppe Sarno wrote: Hi, Does this mean that for my Web service provider the Subject confirmation is not enough, and I also need a issuer Certificate or key ? Thanks. Giuseppe. -----Original Message----- From: Vishal Mahajan [mailto:vmahajan@amberpoint.com] Sent: 08 December 2005 11:34 To: Sarno, Giuseppe [MOP:GM15:EXCH] Cc: wss-dev@lists.oasis-open.org Subject: Re: [wss-dev] SAML token and holder of key. Typically an HOK assertion would be protected for integrity by its issuer, so replacing the public key wouldn't be possible. The issuer of an HOK assertion typically signs the assertion in an enveloped-signature manner. Vishal Giuseppe Sarno wrote: If I put a Public Key in the SubjectConfirmation and used my Private Key to create the <ds:Signature> element wouldn't this be opent to MITM attack ? I mean the attacker could chane the PublicKey as well as using his private key to sign the message. To avoid this shouldn't a Certificate (509) in the Subject confirmation be a better option ? (without considering out of band agreement). Continuing on this why then the Spec say on page 28 that the holder of key is not vulnerable to MITM attack ? What I'm missing ? Thanks. Giuseppe. --------------------------------------------------------------------- This publicly archived list supports open discussion on implementing the WSS OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]subscribe@lists.oasis-open.org List archives: http://lists.oasis-open.org/archives/wss-dev/ Committee homepage: http://www.oasis-open.org/committees/wss/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]