OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] holder-of-key subject confirmation

I would say the answer to this is "no". I have read all the follow-up
emails and do not think they addressed the core problem which I
will attempt to do here.

User has private key PR-K1 associated w cert C1 that is used to
sign message sent to IdP. IdP uses users public key PU-K1 to
verify and authenticate user and sends back signed attr assertion
using IdP private key, say PR-K3 and assertion contains C1 so
that user can prove they are "holder of key" by signing a message
w PR-K1 that can be verified by RP w PU-K1, just like the IdP did.

User then goes to relying party RP w cert C2, which is not validated
by anyone according to the original email. i.e. IdP has reason to trust
C1, but there is no indication anyone has reason to trust C2.

RP could trust C1 because IdP puts C1 in assertion signed w PR-K3,
which RP can validate w PU-K3, which RP trusts because has relation
w IdP and PU-K3.

However, there is no connection that RP has to C2. C2 just came out
of the blue and there is no one that has vouched for the holder of the
PR-K2, based on presentation of msg signed by PU-K2.

i.e. RP trusts PU-K1, because assertion contains C1 signed by PR-K3.

RP has no reason to trust PU-K2, because IdP has shown no involvement
with C2 and is not vouching for holder of PR-K2.

Basically the IdP is vouching for the holder of PR-K1, and incidentally
the cert, C1.

Anyone can read the cert, C1, and create a new cert, C2 with the same
subject name etc. But no one should trust C2, because C2 was not
contained in anything signed by IdP.

Bottom line: for RP to trust anything from user that RP wants backed
up by IdP, then user must sign message with PR-K1 to show it holds
key assoc w C1.

Using C2 is irrelevant to RP, because there is no direct tie to IdP.

    Just my 2 cents,

Tom Scavo wrote:
> Consider the following sequence of protocol exchanges:
> 1. A user self-queries an IdP for attributes, authenticating with an
> X.509 certificate (C1).
> 2. The IdP issues a signed attribute assertion, binding the user's
> certificate to a holder-of-key <SubjectConfirmation> element.
> 3. The user presents the signed attribute assertion to a relying
> party, authenticating with a different X.509 certificate (C2).
> If the RP can verify that the subject names in C1 and C2 are the same,
> can the RP conclude that the subject is confirmed?
> Thanks,
> Tom
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]