OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] holder-of-key subject confirmation


On Sun, May 11, 2008 at 1:43 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>
>  > If <KeyInfo> contains a key, the RP confirms the subject if the presenter
>  > proves possession of the key.  If <KeyInfo> contains a name, the RP
>  > confirms the subject if the presenter proves itself to be the named
>  > subject.
>
>  Not true. In both cases you must prove possession of a key. The difference
>  is in how the key is identified by the IdP, and that is simply an unprofiled
>  hook. But in most cases I've seen, using subject name is interpreted to mean
>  "presents a certificate from a trusted source containing that name".

That's what I meant, sorry, but I don't want to require use of the
same certificate.  As I tried to outline earlier, the user presents C1
to the IdP and C2 to the RP (where key(C1) != key(C2)), with the
additional restriction that the same name is bound to both
certificates.  What I heard from Conor is that
KeyInfo/X509Data/X509SubjectName is required in this case, and what
I'm hearing from you is that this needs to be profiled somewhere.  Is
that a fair summary so far?

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]