RE: [wss-dev] SAML token and holder of key.

[Tech Rams <techmailing@yahoo.com>]

I am not sure if original suggestion of Vishal can be
interpreted as "Certificates will solve the problem".
Though to some extent it is true, you still have the
situation where, for whatever reason, MITM also has a
valid cert from the same issuer.

As you realized, the problem cannot also be solved by
signing the token - SubjectConfirmation or KeyInfo
element - as the MITM can do the same thing.

I think for your problem, an ideal solution is signing
followed by encryption. I am not familiar with the
SAML protocol, but in a web services world, that is
the approach.

On the aside - signatures in most implementations are,
ultimately, tied to an identity. So, you have the
knowledge of a certificate and you know to whom it
belongs. In such a case, signature alone (of data and
the token) will be good enough.

-rams

--- Giuseppe Sarno <gsarno@nortel.com> wrote:

> Hi Thanks,
>  
> Just to clarify:
>  
> 1) SAML issuer provide a SubjectConfirmation with
> KEYINFO to sign SOAP
> message.
> 2) SAML issuer also Signs the Assertion to protect
> it from tempering
> with.  
>     I guess at this point the Issuer:
>     2.a) wouldn't just put the Public key as done
> for the
> SubjectConfirmation (otherwise here we go again).
>     2.b)The Issuer then better need to include in
> the Assertion keyInfo
> either a certificate ( that can be verified by a CA)
> 
>     2.c)Or  nothing (anyway not the key) expecting
> the receiver to have
> it stored locally.
>  
> Does this make sense ?
>  
> I mean My assumption as learnt on SSL books and
> internet discussion is
> the MIMT can be defeated by using Certificates
> (which need to be double
> checked with the CA) just the public key is not
> enough.
>  
> In my opinion the Certificate solution as mentioned
> above seems to be a
> better solution as the Web Service Provider doesn't
> necessarily needs to
> know about Issuer specifics as he would get the
> certificate in the
> Assertion itself. 
> Any opinion on this ?
>  
> Thanks.
> Giuseppe.
>  
>  
> 
> -----Original Message-----
> From: Vishal Mahajan
> [mailto:vmahajan@amberpoint.com] 
> Sent: 08 December 2005 12:30
> To: Sarno, Giuseppe [MOP:GM15:EXCH]
> Cc: wss-dev@lists.oasis-open.org
> Subject: Re: [wss-dev] SAML token and holder of key.
> 
> 
> That's right.
> 
> Giuseppe Sarno wrote: 
> 
> Hi,
> 
> Does this mean that for my Web service provider the
> Subject confirmation
> 
> is not enough,
> 
> and I also need a issuer Certificate or key ?
> 
> 
> 
> Thanks.
> 
> Giuseppe.
> 
> 
> 
> -----Original Message-----
> 
> From: Vishal Mahajan
> [mailto:vmahajan@amberpoint.com] 
> 
> Sent: 08 December 2005 11:34
> 
> To: Sarno, Giuseppe [MOP:GM15:EXCH]
> 
> Cc: wss-dev@lists.oasis-open.org
> 
> Subject: Re: [wss-dev] SAML token and holder of key.
> 
> 
> 
> 
> 
> Typically an HOK assertion would be protected for
> integrity by its 
> 
> issuer, so replacing the public key wouldn't be
> possible. The issuer of 
> 
> an HOK assertion typically signs the assertion in an
> enveloped-signature
> 
> 
> 
> manner.
> 
> 
> 
> Vishal
> 
> 
> 
> Giuseppe Sarno wrote:
> 
> 
> 
>   
> 
> If I put a Public Key in the SubjectConfirmation and
> used my Private 
> 
> Key to create the <ds:Signature> element wouldn't
> this be opent to MITM
> 
>     
> 
> 
> 
>   
> 
> attack ? I mean the attacker could chane the
> PublicKey as well as using
> 
>     
> 
> 
> 
>   
> 
> his private key to sign the message. To avoid this
> shouldn't a 
> 
> Certificate (509) in the Subject confirmation be a
> better option ? 
> 
> (without considering out of band agreement).
> Continuing on this why 
> 
> then the Spec say on page 28 that the holder of key
> is not vulnerable 
> 
> to MITM attack ?
> 
> What I'm missing ?
> 
> 
> 
> Thanks.
> 
> Giuseppe.
> 
> 
> 
>  
> 
> 
> 
>     
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
---------------------------------------------------------------------
> 
> This publicly archived list supports open discussion
> on implementing the
> WSS OASIS Standard. To minimize spam in the
> 
> archives, you must subscribe before posting.
> 
> 
> 
> [Un]Subscribe/change address:
> http://www.oasis-open.org/mlmanage/
> 
> Alternately, using email:
> list-[un]subscribe@lists.oasis-open.org
> 
> List archives:
> http://lists.oasis-open.org/archives/wss-dev/
> 
> Committee homepage:
> http://www.oasis-open.org/committees/wss/
> 
> List Guidelines:
> http://www.oasis-open.org/maillists/guidelines.php
> 
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com