[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile
On Tue, Nov 18, 2008 at 1:51 PM, Peter Sylvester <Peter.Sylvester@edelweb.fr> wrote: > >>> An X509 certicate bind a public key to some identity (or more) assuming >>> that you do identity based authorisation for example. So one needs the >>> identity information, this is MORE that the DN. >> >> No, in this case, the identity is in the SAML, not the X.509. In >> general, the relying party does not trust the issuer of the X.509 >> certificate, but the latter is required at the TLS layer so that the >> presenter can prove possession of the private key. It is this >> proof-of-possession step that makes the profile work. The identity in >> the certificate does not come into play. > > If this is the case, then the identity provider must have established a > its own association of an public key and some identity. Yes, that can > work, you register an some id is established using whatever X509 cert. > > So, assume that when you register, the id provider just takes the ids > in your certificat. That could be a registration policy of some id provider. No, and in fact you've raised a most important point (which apparently we need to explain better in the profile document). The proof-of-possession step and the authentication step are totally separate. In HoK Web Browser SSO, proof-of-possession is via TLS and authentication is by some other means, typically username/password via a web login form. > I see the statement in line 380ff of the web SSO profile saying something > that Nameid references from the certficate SHOULD NOT be used. > I am not sure that this is appropriate. > It is a matter up to the identity provider to determine the identities. Well, I've commented on that particular requirement, and will continue to comment on it until it reads correctly. That said, the <saml:NameID> element in the assertion MUST agree with the <saml:NameID> element in the request (if any). Other than that, you are correct that the <saml:NameID> issued by the IdP is a matter of policy. > So saying that they certficate IDs should not be used is a restriction > that first cannot be verified and it can happen that it matches exactly > the database of the id provider. I basically agree with you, and I've commented as much. > I agree that the profile is not specifically treating x509 id based things. > It is more general, that's good, but taking ids from a cert is just a > subset, and I do not see why it is almost excluded. I agree this needs to be clarified in the profile document. The point that the editor is trying to make, I think, is that the certificate is not trusted in general, so pulling the subject DN out of the certificate and binding it to the assertion is not appropriate. > There is one security thread which is important on the othre hand. > There seem to exist some CAs that are certified by some of the global > CAs that are installed in browsers in MS registries etc. which on the fly > are creating SSL certificats (both for servers and clients). That feature could be leveraged by this profile, yes. > Instead of saying SHOULD NOT use information from the cert should > be added a 'automatically' or something explaining that the ID has to > be carefully be established . That's exactly what we don't want. We don't want to assume a trust relationship between the SAML entity and the X.509 issuer. If there is such a relationship, that's okay, and we should address this possibility in the Security and Privacy Considerations, but that scenario should not come up in the body of the document. Such a trust relationship is out of scope. > I am little bit brainstorming, this also tells something about me :-) Yes, I know :-) I'm beginning to believe that folks with a preference for X.509-based PKI will find this profile somewhat confusing. We need to nip this in the bud, perhaps in the introduction. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]