OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] SAML Token Brainstorming

Are these semantics specific to the WSS SAML Toke Profile? They are not
mandated by SAML as far as I am aware.

> Holder-of-key requires that the assertion contain an authority
> signature and
> that the sender sign the msg. The sender need not sign the assertions.

According to SAML any assertion may or may not be signed.

The Holder of Key is intended to allow the Subject (who may or not be the
sender) to prove that is in fact the Subject refered to by demonstrating
that it has knowledge of the expressed or implied secret, typically by use
os some cryptographic function such as a signature.
>
> Except for the special case described below, Sender-vouches requires
> that the sender sign both the assertion and the msg. The authority need
> not sign the asertion (although doing so allows the relying party
> to verify that the authority has established the binding of attributes
> to the subject).

In the case of the SAML POST profile (for which the sender vouches
confirmation method was invented) the authority signs the assertion, not the
sender. (It follows a V path from authority to Browser (sender) to relying
party, via a web form.)

As I understand it, sender vouches is just like saying "this is my birth
certificate, here in my hand." In other words there is no sure way of
assocating the sender with the assertion.

This is my understanding of what SAML specifies. If we are adding new
semantics, we should chose new subject confirmation methodds, not change
their semantics.


> To do request encryption, I thought we would more likely depend on
> the X509 profile to pass an encrypted key, in which case, I
> thought we would
> likely reuse the encrypted key for the response. We could, for
> response only
> encryption, reuse the key from a SAML assertion (used to sign the request)
> to define an encrypted key, if we think response only encryption
> is an important use case.
>
> Is there any reason why it would be bad to demonstrate a sign and encrypt
> scenario that synergized both the x509 and Saml token profiles?

Why not just exchange it in advance? In real life it would likely be
obtained from something like WSDL.


> I don't think I saw Irving's comments,

Irving just has said repeatedly that he doesn't see how an assertion with
sender vouches differs semantically from an assertion with no subject
confirmation method.

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]