OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: HoK assertions in the ICAM profile

ICAM [1] has specified holder-of-key assertions at LoA 4 such that
"the <ds:X509Certificate> element MUST contain the certificate that
the end user used to authenticate to the IdP" and "the RP must
validate that the certificate issuer is cross-certified with the
Federal Bridge Certification Authority." Note that there is no
reference to the SAML V2.0 Holder-of-Key Web Browser SSO Profile in
the ICAM document.

Maybe the ICAM document is irrelevant to the broader SAML community, I
don't know, but the document's failure to distinguish between the
strength of the authentication token and the key bound to the
assertion (as in the HoK Web Browser SSO profile) is unfortunate, I
think. Didn't the SSTC send a letter to the U.S. government regarding
holder-of-key assertions at one point?


[1] Security Assertion Markup Language (SAML) 2.0 Web Browser Single
Sign-on (SSO) Profile, Version 1.0, September 27, 2010

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]