[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] holder-of-key subject confirmation
On Mon, May 12, 2008 at 6:47 PM, Rich.Levinson <rich.levinson@oracle.com> wrote: > > The weakness I see here is that it seems to reduce a strong > token (saml hok) to the level of a bearer token, because the > inherent strength of the hok is not being used. Not quite, since the IdP binds a name to the assertion, and that name happens to be the same name bound to the certificate C2 that the RP trusts. So there's a linkage between the authentication token (C2) and the authorization token (signed SAML assertion), not quite as strong as typical h-o-k, but stronger than bearer, I think. (I know, I've used the words "strong" and "stronger" without defining what that means, so you're welcome to throw stones :) Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]