OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] holder-of-key subject confirmation

> I believe it depends upon the Keyinfo used by the IdP in the attribute
> assertion.

KeyInfo allows broad latitude, but the specific interpretation of it depends
on the broader trust model in place, which would have to be documented
someplace. That place definitely isn't SAML, though, at least not today.

> If the IdP identified C1 via specific reference (e.g. the
> actual certificate itself), the RPs message should not be considered
> valid as to meeting the requirements identified by the IdP.

This is an example of my point. Identifying the certificate has NO bearing
on the actual technical requirements imposed on the other parties. I would
assert (and have implemented, in effect) that treating the certificate as a
key bag and accepting any proof that was based on the same public key is
perfectly legal in SAML.

> OTOH, if the IdP used KeyInfo/X509Data/X509SubjectName to identify the
> subject name of the user and C2 had the same Subject name, presenting
> the message with proof of C2's private key would be considered to meet
> the requirements identified by the IdP.

In this case, I would claim this is impossible absent other constraints on
the PKI in use. But probably possible in the abstract.

> Essentially, the IdP has control over what the presenting party
> must do to prove to the relying party that it can present the
> assertion.

That's true, but just stating HoK isn't normative to dictate exactly what
those things might be. You need other profiles (or arguably a different
confirmation method I suppose) for that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]