[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss-dev] SAML token and holder of key.
Sorry for the late reply. Pls see below. --- Giuseppe Sarno <gsarno@nortel.com> wrote: > Hi the Certificate was the point I was trying to > make, > we need a Certificate to be sure (or so) that the > assertion has not been tampered with. > So the statement in the spec saying that holder of > key is not vulnerable to MITM > I think it'not strictly true unless the Assertion is > signed using a certificate. > > encryption is a good approach but I think in this > case you need some how to have the Key stored also > on the Webservice provider which might introduce key > management problems. > Is this correct ? Encryption is generally done using a combination of sessionkey and public key. The data is encrypted with the session key and the session key itself is encrypted with the public key. The public key is that of the recipient and the session key is uniquely generated for every encryption operation. So, though you have to "somehow" get the public key of the recipient, once you have it you can use encryption. So, in you case, MITM cannot decrypt the content and create his own signature, unless they have the recipient's private key. > > If that is true then the Certificate approach could > be ok. I guess the only problem here is to Verify > the Certificate itself. > > So no real painless approach. > > What do you think ? > > Giuseppe. > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]