saml-dev message

Subject: Re: [saml-dev] holder-of-key subject confirmation

From: "Tom Scavo" <trscavo@gmail.com>
To: Rich.Levinson <rich.levinson@oracle.com>
Date: Mon, 12 May 2008 19:04:54 -0400

On Mon, May 12, 2008 at 6:47 PM, Rich.Levinson <rich.levinson@oracle.com> wrote:
>
>  The weakness I see here is that it seems to reduce a strong
>  token (saml hok) to the level of a bearer token, because the
>  inherent strength of the hok is not being used.

Not quite, since the IdP binds a name to the assertion, and that name
happens to be the same name bound to the certificate C2 that the RP
trusts.  So there's a linkage between the authentication token (C2)
and the authorization token (signed SAML assertion), not quite as
strong as typical h-o-k, but stronger than bearer, I think.  (I know,
I've used the words "strong" and "stronger" without defining what that
means, so you're welcome to throw stones :)

Tom

Follow-Ups:
- Re: [saml-dev] holder-of-key subject confirmation
  - From: "Rich.Levinson" <rich.levinson@oracle.com>

References:
- holder-of-key subject confirmation
  - From: "Tom Scavo" <trscavo@gmail.com>
- Re: [saml-dev] holder-of-key subject confirmation
  - From: "Rich.Levinson" <rich.levinson@oracle.com>
- Re: [saml-dev] holder-of-key subject confirmation
  - From: "Tom Scavo" <trscavo@gmail.com>
- Re: [saml-dev] holder-of-key subject confirmation
  - From: "Rich.Levinson" <rich.levinson@oracle.com>