[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] holder-of-key subject confirmation
On Sun, May 11, 2008 at 1:43 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > > If <KeyInfo> contains a key, the RP confirms the subject if the presenter > > proves possession of the key. If <KeyInfo> contains a name, the RP > > confirms the subject if the presenter proves itself to be the named > > subject. > > Not true. In both cases you must prove possession of a key. The difference > is in how the key is identified by the IdP, and that is simply an unprofiled > hook. But in most cases I've seen, using subject name is interpreted to mean > "presents a certificate from a trusted source containing that name". That's what I meant, sorry, but I don't want to require use of the same certificate. As I tried to outline earlier, the user presents C1 to the IdP and C2 to the RP (where key(C1) != key(C2)), with the additional restriction that the same name is bound to both certificates. What I heard from Conor is that KeyInfo/X509Data/X509SubjectName is required in this case, and what I'm hearing from you is that this needs to be profiled somewhere. Is that a fair summary so far? Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]