OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [imi] SAML 2 profile questions

--Apple-Mail-265-220655387
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=us-ascii;
	format=flowed;
	delsp=yes

Holder of key is supported in the spec for the selector.

As it stands I grant you that I don't think anyone has implemented it.

I think having a credible HoK story for the SAML 2 profile is  
important for a number of agencies.

Supporting  HoK or something equivalent with non auditing cards may  
require a Zero Knowledge token.

I think we need to continue supporting auditing and non-auditing cards.

I have never seen auditing optional actually used,  but it might be if  
the RP had a way to express it without a RP/STS.

If a user could tell in the selector if a card is auditing or not it  
would make the feature more useful.

John B.
On 2009-10-14, at 5:27 PM, David Chadwick wrote:

>
>
> Scott Cantor wrote:
>>> If you are using bearer assertions, then the presence of the authn  
>>> token
>>> only provides extra granularity for access control if it contains
>>> a) the LOA value and/or
>>> b) a permanent ID of the user that is known to the SP.
>> We're talking about the statements in the "token". AuthnStatements  
>> do not
>> contain information about the user, but about the act of  
>> authentication that
>> led to the issuance of the assertion.
>
> which includes the LOA according to the SAML draft spec.
>
>>
>>>> In 2.3.3, the draft states that "the assertion MUST be signed".  I
>>>> understand the value of this, but I'd like us to at least discuss  
>>>> this
>>>> before assuming that this should be a MUST.  For instance, is  
>>>> this a
>>>> MUST when the token is used with the SAML 2.0 protocol?
>>> In many cases TLS is sufficient, so I see no need to make this  
>>> mandatory.
>> The signature is for integrity of the assertion from the IdP. There  
>> is no
>> TLS connection between the IdP and the RP. Not signing the token  
>> means a
>> client is free to manipulate it at will.
>
> Understood. But this is not an (unknown) attacker, it is a  
> fraudulent (known) user changing his token, which is different.  
> These can be caught with auditing. So its less of a risk than an  
> unknown attacker, and in some situations e.g. student access to  
> library systems, it might be too low a risk to worry about the extra  
> cost of signing. Thus it should be the choice of the RP whether  
> signing is needed or not. After all, it is the RP that faces the risk.
>
>
>>> If you want privacy protection then you can always use a freshly  
>>> minted
>>> randomly generated identifier to identify the user in each new  
>>> assertion
>> That doesn't address the privacy use case that non-audited cards are
>> intended to address, which is about privacy *from* the IdP  
>> regarding what
>> RPs you visit.
>> My complaint is not with non-auditing mode, it's with the lack of  
>> support
>> for holder of key when using it.
>
> But if user's dont have keys and their client software does not  
> automatically mint and manage them for it, then you cant use holder  
> of key (even if we would like to).
>
> David
>
>> -- Scott
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/ 
>> my_workgroups.php
>
> -- 
> -------------------------------------------------------------
> The Israeli group Breaking the Silence has just released a  
> collection of
> testimonies by Israeli soldiers that took part in the Gaza attack last
> December and January. The testimonies expose significant gaps  
> between the official stances of the Israeli military and events on  
> the ground.
>
> See  http://www.shovrimshtika.org/news_item_e.asp?id=30
>
> The Israeli government defies Obama, and continues its settlement  
> expansion
>
> Israel plans to allocate $250 million over the next two years for  
> settlements
>
> http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698
>
> whilst simultaneously continuing to bulldoze Palestinian homes
>
> http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


--Apple-Mail-265-220655387
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISjTCCA2gw
ggLRoAMCAQICEB33j5shi+K5JpDD+pT/JY8wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTIxMjAxNTQzMVoXDTA5MTIxMjAxNTQz
MVowgZ8xHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxHzAdBgkqhkiG9w0BCQEWEGpi
cmFkbGV5QG1hYy5jb20xHjAcBgkqhkiG9w0BCQEWD2picmFkbGV5QG1lLmNvbTEdMBsGCSqGSIb3
DQEJARYOdmU3anRiQG1hYy5jb20xHDAaBgkqhkiG9w0BCQEWDXZlN2p0YkBtZS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEHYYZtnmnyZW2DXoJINd4XwXcP7mxuzwvhv9ise38
G+1B0TwZjbTZxSSj9v+tdNQDQkJdlEOs6IftnFyojhqUk16X0BxIt6lx0c3j63bOG9aKWb5gXT+v
qb/U+KSRVP1NaJzrUhkyk1YhSSQD4xbMSMKFg9591IyHGKSGEwVnSy/ao8T2mZ1o+0Pa4XgzAqcj
N1lij5futahpcch2xnBkNTcd1HmtW4rmz3G9EQPtNmDATX/IfMedNt51RY9001SUvbgmneKJXONl
qfzM4KfrHhvw7VA83lv8U5mt6uoUNnbOEgGxYRwp0jGoio91WSti8R8YEsx7VAg5G7Qnnov9AgMB
AAGjXTBbMEsGA1UdEQREMEKBEGpicmFkbGV5QG1hYy5jb22BD2picmFkbGV5QG1lLmNvbYEOdmU3
anRiQG1hYy5jb22BDXZlN2p0YkBtZS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQAOGO9fnD8Fc3s4vnLVl/J1+YlEp7M2q6BQN/xdsqaYxH+j6+PHf3mkGk71AXyFDC0o0O6+jEtM
0MxZ1wI1u9oSmpERdzuWJX0V8Dmd0AHVWAOpgONj0z0tTngsfy6oTHv6lfqproqhHx5EdvL3OL6K
5KQngYsjn1EGdUjnjHj9pzCCBzcwggYfoAMCAQICAgDeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IElu
dGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcNMDkwMzIwMTk1NjIyWhcNMTAwMzIwMTk1NjIyWjCBozEL
MAkGA1UEBhMCQ0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
cjEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRUwEwYDVQQD
EwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFkbGV5QG1hYy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp4FL6v23T0f0pRJbhb9i+VnFIqM1HWlrTXuVPCho/vJ2Y
mN0XI3yLQIxtbepSJ1k/+BlysAIC0XtzgY9/6jSzEwgcLWlVQA2EJLgczBMDYpEgGq7ksnYgieLk
dY3Wa/ZDyQ34aC9fS/ZLNCtplnXJFKklyojar2hXZexSVDR/iJycwAP+jcW0GTanY5X5HQgasOJF
g+wve3J/siM77fNgklLaIWQhGBjL56AjgCFat323oSqegcymW3ifn/GCjE9dFDxPhJPTfBWxNdt4
CZYQJO53xEuKq9Tqz2q+bVCU25d+qOcYPLhmCiTd6kWxM0/2u0gd0jfptinpz/7oZAUdAgMBAAGj
ggOIMIIDhDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwQwHQYDVR0OBBYEFInfLf4tth8xkQAt3Z2NeBq+28BnMBsGA1UdEQQUMBKBEGpicmFkbGV5
QG1hYy5jb20wgagGA1UdIwSBoDCBnYAUrlWDb+wxyrn3HfqvazHzyB3jrLuhgYGkfzB9MQswCQYD
VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHmCAQ4wggFHBgNVHSAEggE+MIIBOjCCATYGCysGAQQBgbU3AQIAMIIBJTAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBvAYIKwYBBQUHAgIwga8wFBYNU3Rh
cnRDb20gTHRkLjADAgEBGoGWTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxl
Z2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
UG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMG
A1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwK6Ap
oCeGJWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGB
MH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MyL2NsaWVu
dC9jYTBCBggrBgEFBQcwAoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNz
Mi5jbGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkq
hkiG9w0BAQUFAAOCAQEAqxkg6t2pWyE12tTDzRmvZGIcWfM+MrGobq0Uob+EhJ8ntYXECWcBPFk3
K2cwWI18sNLs7g/eJ1/DHwecTwfkMFPSTwVjFyKnowNUzFn/bcNWGEqrulOaPgOs80HYpkrBLBcp
1RuWSyM1qV/Oz3KajMFFwrYfpLrLltITRv1o5U3loYY5AEv5+n9eHXb5KsCX0zVEDlegVJO8yhUj
e3EKoU+kl0UvSPMq6NokF2D455QNJAJJvAV3tf29wt1Z2x+ccsQJkToL4pd8D0igrt9iWgF3YcSj
nVWQlrXQVEB1mCUxqldoC2XsCB2B6DDx+95Dzp3a/YDx7im1lppWEGMTxjCCB+IwggXKoAMCAQIC
AQ4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NFoXDTEyMTAyMjIx
MDI1NFowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT
ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFz
cyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6G
H0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2
acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoY
SZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//Cs
FnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCA1swggNXMAwGA1Ud
EwQFMAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBqAYD
VR0jBIGgMIGdgBROC+8apEBbpRdphzDKNGhD0EGu8qGBgaR/MH0xCzAJBgNVBAYTAklMMRYwFAYD
VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBT
aWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBATAJBgNV
HRIEAjAAMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vc2ZzY2EuY3J0MGAGA1UdHwRZMFcwLKAqoCiGJmh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9z
ZnNjYS1jcmwuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwggFd
BgNVHSAEggFUMIIBUDCCAUwGCysGAQQBgbU3AQEEMIIBOzAvBggrBgEFBQcCARYjaHR0cDovL2Nl
cnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0
Y29tLm9yZy9pbnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBTdGFydCBDb21tZXJj
aWFsIChTdGFydENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNl
Y3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9s
aWN5LnBkZjARBglghkgBhvhCAQEEBAMCAAcwUAYJYIZIAYb4QgENBEMWQVN0YXJ0Q29tIENsYXNz
IDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgRnJlZSBTU0wgRW1haWwgQ2VydGlmaWNhdGVzMA0GCSqG
SIb3DQEBBQUAA4ICAQAe9xAX/vbphHkvkDdNrslXWdO7fD3JaqnTT3jmmDu55r7UpW1H/v/J40UB
Xsw9DKU8TylE4RwZT5HDAMW42f1x498AzM4FOnL/pUTTvr6BiRlrify5ZovkDYVWjy1GYTJ+hPiB
Ev0HmHnDxjhnJIIkEvJ+niMHLLEdpNMhZnxMiTFRAtIF4WeYcpgXBjAxsEDRKBvw40K+r3N4lyky
SQNp2ElIJ8H1z2BmhxtppUdWpOVJ4Q1Gvn9jfV1qnMhFCDY+X1X8DrkKrTcpDExcGlefweQs7+DY
UK3spiQkJpN7qpPYlfy2GYHedv7lGa1ZAghMI/4882QVAK2zq6M60nHpOUMtYD61XtAs3ZD5L3yn
9LCdeK2j4ZbQ3uRdwvxAMFWwXyUK/ALP4lCu9QhxbnETOkBWT3FJul4/FUgzM0RRCEGhuQWiOFSo
a35XJTcYf/4E/ZuvOXhK04nUpe7DYTMWzRqL04yyoJQVHKHKSboytueydKuqFZKdJA9gi77OnPBY
L/yxkXGgkLC9tsi77oT4AgZry0/6lgX56ak+f/umQihNPgtKSQQjEYq9S8MlOHzpUM0vxsghATYs
dUPBw6r6ZxDHjXoUAD03DUMEbKsWvqFB7nJNVesngbu8miw1EYLA+fHfTaCidoV3CL75jKqM/KE8
7qrh9Fqti9bKqnkvpTGCAy4wggMqAgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4
MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EC
AgDeMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA5MTAxNDIwNDcyNlowIwYJKoZIhvcNAQkEMRYEFIbR4ziLOP3vn1znVUQCuOEexaeWMIGF
BgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu
ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QQIQHfePmyGL4rkmkMP6lP8ljzCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHfePmyGL4rkmkMP6lP8ljzANBgkqhkiG9w0BAQEF
AASCAQAfJvbA3AwuiMrBjDwvMGbtqkOf5gP8ggjeTtxqZjLgME8hoXTXb4JbQeMB7pAi/YgsI3S0
mINSo8ZOrU/P/LP08qTyHiGwwiwZN6Un/YjLy1uKxmegzJlCIwWH1xHk29De/GYGLvPgD3ZuWiEj
8cseBCcPYIDcWXtcRmr9oeGGa3bOldBV46ALVgU24triM6FCBk8eJlJQNo+8VWaSZi4N5qPCukG3
pfE2ds/JuJRoLJKkiZBaFI87OGmYb3+atFXhqA8eY9SAxGzVBHNvUZevgn1tpJQcOO4TgUtsAPn2
euLuq8JxM7fu3jb8FjxYPSuvr1vhiKxftDAgzPu07lgpAAAAAAAA

--Apple-Mail-265-220655387--

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]