OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] holder-of-key subject confirmation

I think we are in agreement. I had added:

    "It would seem that the main reliance of the RP in this scenario
    is on the trust it has in C2, and the saml assertion can be
    thought of possibly as a 2nd factor of authentication, making
    the RP more confident in C2, then it would be otherwise."

indicating that in addition to "bearer" capability, the fact that
the subject names agree means that if the scenario is primarily
thought of as single factor x.509 based on C2, then the user
can add the saml(hok) assertion in as a 2nd factor, which
adds significant value.

My point is that in this scenario, RP places primary trust
on C2, and only uses IdP to augment that trust, but IdP
is not accountable for anything user does based on C2.

I guess the only thing I am wondering about is why the
IdP would issue an hok to a user who did not intend
to use the hok. i.e. would not a bearer token be more
appropriate for such a use? (Generally, by issuing an
hok, and IdP is authorizing the user to submit a whole
collection of information that the IdP has in some sense
agreed to be a party to. As such the IdP would probably
want to limit its issuance of hok assertions to users who
would only be authorized to act within some defined scope
of activity. If the IdP did not want to be involved in any
such scope, then from a subject confirmation perspective
I think the bearer token would offer the same amount
of authenticity without leaving an open-ended capability
that might implicitly tie the IdP to any particular use of
the assertion.)


Tom Scavo wrote:
ea2af9bd0805121604k270ea838xb2f4ca23004d655@mail.gmail.com" type="cite">
On Mon, May 12, 2008 at 6:47 PM, Rich.Levinson <rich.levinson@oracle.com> wrote:
 The weakness I see here is that it seems to reduce a strong
 token (saml hok) to the level of a bearer token, because the
 inherent strength of the hok is not being used.

Not quite, since the IdP binds a name to the assertion, and that name
happens to be the same name bound to the certificate C2 that the RP
trusts.  So there's a linkage between the authentication token (C2)
and the authorization token (signed SAML assertion), not quite as
strong as typical h-o-k, but stronger than bearer, I think.  (I know,
I've used the words "strong" and "stronger" without defining what that
means, so you're welcome to throw stones :)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]