OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] holder-of-key subject confirmation

> That's what I meant, sorry, but I don't want to require use of the
> same certificate.  As I tried to outline earlier, the user presents C1
> to the IdP and C2 to the RP (where key(C1) != key(C2)), with the
> additional restriction that the same name is bound to both
> certificates.  What I heard from Conor is that
> KeyInfo/X509Data/X509SubjectName is required in this case, and what
> I'm hearing from you is that this needs to be profiled somewhere.  Is
> that a fair summary so far?

My reading of the XMLDSig spec is that if just the SubjectName appears
the KeyInfo, that's the only data that needs to match (of course, the RP
probably still wants to ensure that the certificate's authority is
and the behavior (of accepting C2 or C1 since both have the same Subject
that's all that's referenced in the KeyInfo) is how it should work
the need for a profile.

However, Scott raises a good point in that implementations may not have
addressed this exact type of scenario and so there may be issues with
depending on suitable operation out of out-of-the-box implementations 
from vendors (many of which probably expect a specific key or
reference rather than a reference by subject name).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]