RE: [saml-dev] question on Holder fo the key

[swu@axolotl.com]

We have requirement for using SOAP message
using SAML HOK for authentication, I agree that TLS mutual authentication
CAN be part of the trust model but it is at transport layer and not at
message layer (and has its own limitations).  My personal judgement
is layered security and each layer serves different purpose.   I can
trust A more if A can provide credential 1 & 2 but I can trust B less
if he can only provide credential 1.  

Sorry, this is way out of scope, could
you please point me to the correct TC group ?

Thank you very much !

Stephen



From:      
 Eric Heflin <eheflin@medicity.com>
To:      
 "Cantor, Scott
E." <cantor.2@osu.edu>, "swu@axolotl.com" <swu@axolotl.com>
Cc:      
 "saml-dev@lists.oasis-open.org"
<saml-dev@lists.oasis-open.org>
Date:      
 05/24/2011 10:41 AM
Subject:    
   RE: [saml-dev]
question on Holder fo the key

---

Also, wouldn't the "bearer" SubjectConfirmation
method be a closer match to these requirements than "holder-of-key"?

Eric Heflin
Dir of Standards and Interoperability
Medicity
THE Standard for Meaningful HIE.       
www.medicity.com
801.415.2672 (o)
801.674.2313 (m)
eheflin (Skype)

-----Original Message-----
From: Cantor, Scott E. [mailto:cantor.2@osu.edu]
Sent: Tuesday, May 24, 2011 11:24 AM
To: swu@axolotl.com
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] question on Holder fo the key

On 5/24/11 1:20 PM, "swu@axolotl.com" <swu@axolotl.com>
wrote:

>I guess then my question would be how
>would SAML establish trust relationship in HOK case if no certificate
>is included (neither from IdP nor Client).

Out of scope.

And for the record, if you establish trust based on the certificate directly,
you probably wouldn't need SAML.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org