[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] holder-of-key subject confirmation
> That's what I meant, sorry, but I don't want to require use of the > same certificate. As I tried to outline earlier, the user presents C1 > to the IdP and C2 to the RP (where key(C1) != key(C2)), with the > additional restriction that the same name is bound to both > certificates. What I heard from Conor is that > KeyInfo/X509Data/X509SubjectName is required in this case, and what > I'm hearing from you is that this needs to be profiled somewhere. Is > that a fair summary so far? My reading of the XMLDSig spec is that if just the SubjectName appears in the KeyInfo, that's the only data that needs to match (of course, the RP probably still wants to ensure that the certificate's authority is trusted) and the behavior (of accepting C2 or C1 since both have the same Subject and that's all that's referenced in the KeyInfo) is how it should work without the need for a profile. However, Scott raises a good point in that implementations may not have addressed this exact type of scenario and so there may be issues with depending on suitable operation out of out-of-the-box implementations from vendors (many of which probably expect a specific key or certificate reference rather than a reference by subject name). Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]