Re: [imi] SAML 2 profile questions

[John Bradley <jbradley@mac.com>]

--Apple-Mail-307-282678781
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=us-ascii;
	format=flowed;
	delsp=yes

I can't comment on Microsoft's shipping implementation working,  only  
that I believe they intended to support HoK to a RP/STS.

Mike M. can may be able to enlighten us on the what IBM has for this.

I agree that it would take some bending of definitions to convince  
some folks that it is HoK as defined in LoA 4.

I think that this should be a separate work item from the SAML 2  
profile.

I think we need to add a way to have one time keys, or something like  
that to improve the security on non-auditing cards.

Perhaps a restful service on the RP that generates a WS-Security  
policy like doc that the selector can retrieve.  That way you could  
have the one time key in that.

We also need a much more credible story on HoK (or equivalent) all the  
way to the RP web site.

I don't think these issues are directly related to the SAML 2.0 profile.

John B.


On 2009-10-15, at 1:07 AM, Scott Cantor wrote:

> John Bradley wrote:
>> HoK requires a RP/STS or some special undocumented undefined  
>> browser magic.
>
> True HoK means it's HoK all the way to the web site, so the RP/STS  
> thing doesn't count for my purposes. So the first question to answer  
> is whether that's strictly legal or not, regardless of whether  
> Cardspace itself happens to support it. If it is, then I'll stop  
> criticizing IMI on this basis. But none of this really pertains to  
> this profile, it's a separate issue.
>
>> Has anyone ever looked at doing one time audiance restriction?
>
> Do you mean one time keys? I certainly have.
>
>> If the RP made up a self signed certificate per transaction or  
>> symmetric  signing key.
>> This is venturing beyond the SAML 2.0 profile.  But some of these  
>> issues need a broader view.
>
> It's my assumption that with something like Infocard, you would  
> quite likely look at using one-time or at least frequently recycled  
> keys, and could support HoK by authenticating in the usual fashions  
> to the IdP but also sign the RST with a key so that it can bind that  
> key to the token on the way out without knowing ahead of time that  
> it's your key. This isn't preventative of MitM attacks if the  
> authentication step itself isn't via certificate, of course, but  
> it's still an improvement for the RP half.
>
> -- Scott


--Apple-Mail-307-282678781
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISjTCCA2gw
ggLRoAMCAQICEB33j5shi+K5JpDD+pT/JY8wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTIxMjAxNTQzMVoXDTA5MTIxMjAxNTQz
MVowgZ8xHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxHzAdBgkqhkiG9w0BCQEWEGpi
cmFkbGV5QG1hYy5jb20xHjAcBgkqhkiG9w0BCQEWD2picmFkbGV5QG1lLmNvbTEdMBsGCSqGSIb3
DQEJARYOdmU3anRiQG1hYy5jb20xHDAaBgkqhkiG9w0BCQEWDXZlN2p0YkBtZS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEHYYZtnmnyZW2DXoJINd4XwXcP7mxuzwvhv9ise38
G+1B0TwZjbTZxSSj9v+tdNQDQkJdlEOs6IftnFyojhqUk16X0BxIt6lx0c3j63bOG9aKWb5gXT+v
qb/U+KSRVP1NaJzrUhkyk1YhSSQD4xbMSMKFg9591IyHGKSGEwVnSy/ao8T2mZ1o+0Pa4XgzAqcj
N1lij5futahpcch2xnBkNTcd1HmtW4rmz3G9EQPtNmDATX/IfMedNt51RY9001SUvbgmneKJXONl
qfzM4KfrHhvw7VA83lv8U5mt6uoUNnbOEgGxYRwp0jGoio91WSti8R8YEsx7VAg5G7Qnnov9AgMB
AAGjXTBbMEsGA1UdEQREMEKBEGpicmFkbGV5QG1hYy5jb22BD2picmFkbGV5QG1lLmNvbYEOdmU3
anRiQG1hYy5jb22BDXZlN2p0YkBtZS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQAOGO9fnD8Fc3s4vnLVl/J1+YlEp7M2q6BQN/xdsqaYxH+j6+PHf3mkGk71AXyFDC0o0O6+jEtM
0MxZ1wI1u9oSmpERdzuWJX0V8Dmd0AHVWAOpgONj0z0tTngsfy6oTHv6lfqproqhHx5EdvL3OL6K
5KQngYsjn1EGdUjnjHj9pzCCBzcwggYfoAMCAQICAgDeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IElu
dGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcNMDkwMzIwMTk1NjIyWhcNMTAwMzIwMTk1NjIyWjCBozEL
MAkGA1UEBhMCQ0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
cjEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRUwEwYDVQQD
EwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFkbGV5QG1hYy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp4FL6v23T0f0pRJbhb9i+VnFIqM1HWlrTXuVPCho/vJ2Y
mN0XI3yLQIxtbepSJ1k/+BlysAIC0XtzgY9/6jSzEwgcLWlVQA2EJLgczBMDYpEgGq7ksnYgieLk
dY3Wa/ZDyQ34aC9fS/ZLNCtplnXJFKklyojar2hXZexSVDR/iJycwAP+jcW0GTanY5X5HQgasOJF
g+wve3J/siM77fNgklLaIWQhGBjL56AjgCFat323oSqegcymW3ifn/GCjE9dFDxPhJPTfBWxNdt4
CZYQJO53xEuKq9Tqz2q+bVCU25d+qOcYPLhmCiTd6kWxM0/2u0gd0jfptinpz/7oZAUdAgMBAAGj
ggOIMIIDhDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwQwHQYDVR0OBBYEFInfLf4tth8xkQAt3Z2NeBq+28BnMBsGA1UdEQQUMBKBEGpicmFkbGV5
QG1hYy5jb20wgagGA1UdIwSBoDCBnYAUrlWDb+wxyrn3HfqvazHzyB3jrLuhgYGkfzB9MQswCQYD
VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHmCAQ4wggFHBgNVHSAEggE+MIIBOjCCATYGCysGAQQBgbU3AQIAMIIBJTAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBvAYIKwYBBQUHAgIwga8wFBYNU3Rh
cnRDb20gTHRkLjADAgEBGoGWTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxl
Z2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
UG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMG
A1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwK6Ap
oCeGJWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGB
MH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MyL2NsaWVu
dC9jYTBCBggrBgEFBQcwAoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNz
Mi5jbGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkq
hkiG9w0BAQUFAAOCAQEAqxkg6t2pWyE12tTDzRmvZGIcWfM+MrGobq0Uob+EhJ8ntYXECWcBPFk3
K2cwWI18sNLs7g/eJ1/DHwecTwfkMFPSTwVjFyKnowNUzFn/bcNWGEqrulOaPgOs80HYpkrBLBcp
1RuWSyM1qV/Oz3KajMFFwrYfpLrLltITRv1o5U3loYY5AEv5+n9eHXb5KsCX0zVEDlegVJO8yhUj
e3EKoU+kl0UvSPMq6NokF2D455QNJAJJvAV3tf29wt1Z2x+ccsQJkToL4pd8D0igrt9iWgF3YcSj
nVWQlrXQVEB1mCUxqldoC2XsCB2B6DDx+95Dzp3a/YDx7im1lppWEGMTxjCCB+IwggXKoAMCAQIC
AQ4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NFoXDTEyMTAyMjIx
MDI1NFowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT
ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFz
cyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6G
H0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2
acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoY
SZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//Cs
FnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCA1swggNXMAwGA1Ud
EwQFMAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBqAYD
VR0jBIGgMIGdgBROC+8apEBbpRdphzDKNGhD0EGu8qGBgaR/MH0xCzAJBgNVBAYTAklMMRYwFAYD
VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBT
aWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBATAJBgNV
HRIEAjAAMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vc2ZzY2EuY3J0MGAGA1UdHwRZMFcwLKAqoCiGJmh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9z
ZnNjYS1jcmwuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwggFd
BgNVHSAEggFUMIIBUDCCAUwGCysGAQQBgbU3AQEEMIIBOzAvBggrBgEFBQcCARYjaHR0cDovL2Nl
cnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0
Y29tLm9yZy9pbnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBTdGFydCBDb21tZXJj
aWFsIChTdGFydENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNl
Y3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9s
aWN5LnBkZjARBglghkgBhvhCAQEEBAMCAAcwUAYJYIZIAYb4QgENBEMWQVN0YXJ0Q29tIENsYXNz
IDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgRnJlZSBTU0wgRW1haWwgQ2VydGlmaWNhdGVzMA0GCSqG
SIb3DQEBBQUAA4ICAQAe9xAX/vbphHkvkDdNrslXWdO7fD3JaqnTT3jmmDu55r7UpW1H/v/J40UB
Xsw9DKU8TylE4RwZT5HDAMW42f1x498AzM4FOnL/pUTTvr6BiRlrify5ZovkDYVWjy1GYTJ+hPiB
Ev0HmHnDxjhnJIIkEvJ+niMHLLEdpNMhZnxMiTFRAtIF4WeYcpgXBjAxsEDRKBvw40K+r3N4lyky
SQNp2ElIJ8H1z2BmhxtppUdWpOVJ4Q1Gvn9jfV1qnMhFCDY+X1X8DrkKrTcpDExcGlefweQs7+DY
UK3spiQkJpN7qpPYlfy2GYHedv7lGa1ZAghMI/4882QVAK2zq6M60nHpOUMtYD61XtAs3ZD5L3yn
9LCdeK2j4ZbQ3uRdwvxAMFWwXyUK/ALP4lCu9QhxbnETOkBWT3FJul4/FUgzM0RRCEGhuQWiOFSo
a35XJTcYf/4E/ZuvOXhK04nUpe7DYTMWzRqL04yyoJQVHKHKSboytueydKuqFZKdJA9gi77OnPBY
L/yxkXGgkLC9tsi77oT4AgZry0/6lgX56ak+f/umQihNPgtKSQQjEYq9S8MlOHzpUM0vxsghATYs
dUPBw6r6ZxDHjXoUAD03DUMEbKsWvqFB7nJNVesngbu8miw1EYLA+fHfTaCidoV3CL75jKqM/KE8
7qrh9Fqti9bKqnkvpTGCAy4wggMqAgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4
MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EC
AgDeMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA5MTAxNTE0MDEwOVowIwYJKoZIhvcNAQkEMRYEFL3h852owvNjS7H5GYs3JRb8PeZNMIGF
BgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu
ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QQIQHfePmyGL4rkmkMP6lP8ljzCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHfePmyGL4rkmkMP6lP8ljzANBgkqhkiG9w0BAQEF
AASCAQChQimsyKXSeVgYJBj6RETe311ChWqXOuYZiisvFFoij2VVEXSJ/EX2lNRm0HVA35+BIihh
XQmvlFhgClxbTYJW1WIgBmKfHRWPxhmMbhU6dO8s9n6Z1jCSTvZ3oEHDHoq2RjxBow+sdVk0q065
9Vl4LlyTbu8j8zhGmlNteLhKByeV+mEqlroW7qpnYviswxOXwubGWLU6kI+TwNbHll9j6ui/bDfx
KAY1RPhcWFn7AaOicjb0oCMMNeyI42WqNFBYLBfM6sEqaQytYe5d8RdLnkMJRcDKxnEWJjt/PNQ6
wpUaXYKM2GARqylaerdvluhV03A2OZZnY1UiPVIzEsOQAAAAAAAA

--Apple-Mail-307-282678781--