RE: [saml-dev] holder-of-key subject confirmation

["Scott Cantor" <cantor.2@osu.edu>]

> As I reread the emails a 2nd time, I find that I technically
> agree with the responses that you gave, but to me the
> net result of the chain of emails did not clearly explain
> where the potential problems were with Tom's scenario.

I agree with you on that, I was making several false starts trying to
identify what bugged me about the initial suggestion, and why it seemed
fishy to me while also trying to argue that, in general, the idea wasn't
strictly illegal. I came to the conclusion that, in general, it was
insecure, but that in particular situations in which a PKI in place imposed
additional constraints on processing, it would be viable.

> I did not make any assumptions about the certificates.
> As it turned out it is only when Tom introduced the
> assumption that RP trusted C2 that the scenario began
> to firm up.

I agree.

> However, Tom introduced C2 to the picture here, again with no
> assumptions about C2.

Right. I was trying to say, I think you have to make some, but if you made
them, it could work.

> So, as I initially indicated, I do not think we disagree on the
> technical details, but simply have been presenting two
> perspectives of how to view the scenario and clarify its
> details so that it is more substantive than the initial description
> explicitly described. In particular, without applying constraints
> to C2, the original description is completely unsafe, imo.

I agree with all of that. I just don't think that, whatever the merits of
the use case, it quite degenerates to "bearer" in light of the key proof
that's still being applied.

-- Scott