OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] holder-of-key subject confirmation

Hi Tom,

If the RP trusted C2, then, I think, informally, that RP could
then rely on the confirmation. By "informally", I mean that the
IdP has a formal relationship w the user and by issuing the
saml assertion is potentially authorizing the user to conduct
certain types of activities that would be guaranteed by the
IdP if the user signed with private key of C1.

However, I do not believe, in general, that the IdP would
consider itself responsible for anything done with C2.

However, an RP, that trusted IdP for confirmation of the
subject in C1, might be willing to assume that the subject
of C2 was, in fact, the same subject.

The weakness I see here is that it seems to reduce a strong
token (saml hok) to the level of a bearer token, because the
inherent strength of the hok is not being used.

It would seem that the main reliance of the RP in this scenario
is on the trust it has in C2, and the saml assertion can be
thought of possibly as a 2nd factor of authentication, making
the RP more confident in C2, then it would be otherwise.

I think I would need to understand more about the objectives
of this combination of authentications - i.e. who is the RP going
to be holding accountable for what.


Tom Scavo wrote:
ea2af9bd0805121502g4be176b1xd2fac06deba0a04f@mail.gmail.com" type="cite">
On Sun, May 11, 2008 at 10:32 PM, Rich.Levinson
<rich.levinson@oracle.com> wrote:
 Anyone can read the cert, C1, and create a new cert, C2 with the same
 subject name etc. But no one should trust C2, because C2 was not
 contained in anything signed by IdP.

Rich, would you change your point of view if the relying party RP
happens to trust the certificate C2 presented by the user?


To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]