[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML Holder of Key Profile
Tom Scavo wrote on 2009-01-15: > Does not what? No, I disagree, the RP must possess an X.509 > certificate known to be associated with the attesting entity. The RP > confirms the attesting entity before consuming the HoK assertion. It > does this by comparing the X.509 data in the certificate to the X.509 > data bound to the HoK assertion. He means in advance of receiving the assertion. I think the confusion is that because you're writing a protocol-neutral set of processing rules, you're assuming various things would have taken place ahead of time. Perhaps it's necessary to state those assumptions, not as processing rules like before but just as "given". >> When the attesting party presents the SAML Assertion to the RP, the >> attesting party proves possession of the attesting party's cert. > > This is where your argument breaks down. There is no notion of > "presenter" or "proof of possession" in this profile. Everything just > *is*. That's true within the scope of the profile, but once you embed the profile into an actual security protocol, both notions emerge as prerequisites simply because of the definition of subject confirmation. It only applies if both exist. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]