OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services-comment] Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile

Tom Scavo wrote:
> On Wed, Nov 19, 2008 at 12:46 PM, Peter Sylvester
> <Peter.Sylvester@edelweb.fr> wrote:
>> The usage of SAML assertions allows to disconnect some  'primary' identity
>> which
>> is available in an X.509  from some 'secondary' identity which is
>> established in
>> whatever way and which  may be totally unrelated to the identities which are
>> present
>> in the X.509.
> The identifiers in the certificate do not matter with respect to SAML
> Web Browser SSO (unless of course the SAML issuer decides otherwise).
> The only identifiers that matter are the Subject/NameID and any global
> identifiers that happen to be asserted as attributes in an
> AttributeStatement.  In particular, the stuff in SubjectConfirmation
> are not identifiers for the user.
As said in another message, I  agree,  the last sentence is the  key 
part. I didn't
clearly see that. Somehow the brain was polluted by X.509 identities :-)
>> The identities present in the X.509 certificate  may be
>> totally ignored by
>> a service provider and the identity provider after initial registration.
> Yes, and we anticipate this to be the typical case.
>> Furthermore, the SAML assertion is established for each act and normally
>> has a lifetime much shorter than the lifetime of a certificate.
> True.
>> Nevertheless, the specification do not prohibit to use identities present
>> in the X.509 certificate in closed environments.
> But this is totally out of scope with respect to HoK Web Browser SSO.
Yes, but there seems to be texts with SHOULD NOT that addresses this 
if the point is out of scope, then there is no reason to discourage 
>> The introduction could mention something about that an X.509 cert has two
>> purpuses:
>> - The usage of the key (respond to some authentication challenge)
>> - The link to some "global" identity.
>> The specification treats a case where the second part may or is not
>> used, i.e. a service provider only used the first part to
>> verify whether the saml assertion is presented by the holder
>> of the key and present whatever identity it is configured to present.
> This is how it should be, I think.  We can note the possible uses of
> the certificate in the profile (and I think we've tried to do this)
> but that text should not be in the normative parts of the document
> lest the reader misunderstand the intent.
First: I didn' gave a definition of 'global'. I don't mean a "unique" 
type identifier
for everything, also entities can have all kinds of identifiers, and 
several of
them. I just wanted to refer to 'non ambiguous'.

>> There is a use that would like to use whatever is in a certificate
>> in more or less diffcult ways for an application, but easier
>> for a "centralised" function or id server.
> I'm not sure what that means.
Transforming the various fields and extension values in an X509 into
attributes of an saml attribut assertion, e.g. an email, or a web server 
some permanent identifier, etc. even keyusage etc
Most  of these things are attributs and not part of an 'identity' . In X509
one should theoretically use attribute certficates, but this doesn't help
at all to create an assertion as in SAML.
>> My initial question was for a feature to return additional
>> identifier of the "subject" for example in the way outlined below.
> But what you are proposing is an inappropriate use of
> SubjectConfirmation, I believe.  That's not what SubjectConfirmation
> is for.
I agree.
> Tom


*Edel/W/eb* 	Peter SYLVESTER
Consultant Sécurité des Systèmes d'Information
EdelWeb - Groupe ON-X
15, quai de Dion-Bouton
F-92816 Puteaux Cedex
Tel : + / Fax : +
www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com>
To verify the message signature, see edelpki.edelweb.fr 
Cela vous permet de charger le certificat de l'autorité de racine 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

S/MIME Cryptographic Signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]