[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Subject confirmation.
> While the user identified by the Subject is doing things on SPa, they do > something that causes SPa to communicate with SPb but not through the > browser. It's machine to machine. Then anything anybody says in response to this is subject to the qualifier that it is not defined today by any SAML profile. That's an essential point. Realistically, the answer to any question you ask could be "anything" if it doesn't violate explicit SAML core processing rules. > Now, I believe, this is where SubjectConfirmation comes in? Maybe. Maybe not. > SPb can use > this to work out the relationship between SPa and the Subject? Maybe. Maybe not. I'm not being funny, I'm just being honest. > My reading of this seems to be: > > "Here's the subject and if you want to confirm them (whatever > that means), here's their key too" Confirmation means that the association between the subject and the attesting entity is of a certain nature. It might mean "equality", but in a particular profile, it might mean something else. > What is SPb meant to do with the key from the KeyInfo? If the confirmation method is holderofkey, the assumed semantic is that the profile of use involves a proof of possession of the key and the relying party can use that proof to establish the attesting entity's association with the subject. In SOAP, it might mean a WSS header with a Signature in it. I say "association" because that's all it means. Only the profile of use would establish the actual meaning of "association". SubjectConfirmation is a loose set of syntax and a framework for defining processing behavior for use by profiles to establish attesting entity and subject "association". -- Scott