Re: [imi] SAML 2 profile questions

[Scott Cantor <cantor.2@osu.edu>]

John Bradley wrote:
> HoK requires a RP/STS or some special undocumented undefined browser magic.

True HoK means it's HoK all the way to the web site, so the RP/STS thing 
doesn't count for my purposes. So the first question to answer is whether 
that's strictly legal or not, regardless of whether Cardspace itself happens 
to support it. If it is, then I'll stop criticizing IMI on this basis. But 
none of this really pertains to this profile, it's a separate issue.

> Has anyone ever looked at doing one time audiance restriction?

Do you mean one time keys? I certainly have.

> If the RP made up a self signed certificate per transaction or 
> symmetric  signing key.
> 
> This is venturing beyond the SAML 2.0 profile.  But some of these issues 
> need a broader view.

It's my assumption that with something like Infocard, you would quite likely 
look at using one-time or at least frequently recycled keys, and could 
support HoK by authenticating in the usual fashions to the IdP but also sign 
the RST with a key so that it can bind that key to the token on the way out 
without knowing ahead of time that it's your key. This isn't preventative of 
MitM attacks if the authentication step itself isn't via certificate, of 
course, but it's still an improvement for the RP half.

-- Scott