OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile

Hi Peter,

On Tue, Nov 18, 2008 at 12:55 PM, Peter Sylvester
<Peter.Sylvester@edelweb.fr> wrote:
> I am bit confused about what is written in the
>  http://saml.xml.org/news/holder-of-key-web-browser-sso-profile
> "The service provider should rely on no information from the certificate
> beyond the key; instead, it consumes the assertion to create a security
> context."

Well, first of all, I suggest you read the profile first hand:


since what you find on saml.xml.org may or may not be technically correct.

Second, you're not the first to ask about this issue (which says
something to me).  In fact, it came up in that (long) thread in the

> An X509 certicate bind a public key to some identity (or more) assuming
> that you do identity based authorisation for example. So one needs the
> identity information, this is MORE that the DN.

No, in this case, the identity is in the SAML, not the X.509.  In
general, the relying party does not trust the issuer of the X.509
certificate, but the latter is required at the TLS layer so that the
presenter can prove possession of the private key.  It is this
proof-of-possession step that makes the profile work.  The identity in
the certificate does not come into play.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]