[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] holder-of-key subject confirmation
> I believe it depends upon the Keyinfo used by the IdP in the attribute > assertion. KeyInfo allows broad latitude, but the specific interpretation of it depends on the broader trust model in place, which would have to be documented someplace. That place definitely isn't SAML, though, at least not today. > If the IdP identified C1 via specific reference (e.g. the > actual certificate itself), the RPs message should not be considered > valid as to meeting the requirements identified by the IdP. This is an example of my point. Identifying the certificate has NO bearing on the actual technical requirements imposed on the other parties. I would assert (and have implemented, in effect) that treating the certificate as a key bag and accepting any proof that was based on the same public key is perfectly legal in SAML. > OTOH, if the IdP used KeyInfo/X509Data/X509SubjectName to identify the > subject name of the user and C2 had the same Subject name, presenting > the message with proof of C2's private key would be considered to meet > the requirements identified by the IdP. In this case, I would claim this is impossible absent other constraints on the PKI in use. But probably possible in the abstract. > Essentially, the IdP has control over what the presenting party > must do to prove to the relying party that it can present the > assertion. That's true, but just stating HoK isn't normative to dictate exactly what those things might be. You need other profiles (or arguably a different confirmation method I suppose) for that. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]