[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Fwd: suggestion for holder of key profile
On Tue, Nov 18, 2008 at 3:47 PM, Tom Scavo <trscavo@gmail.com> wrote: > On Tue, Nov 18, 2008 at 9:41 AM, Peter Sylvester > <Peter.Sylvester@edelweb.fr> wrote: >> >> The second proposal was about the validity dates of the certificate. > > The profile doesn't care if the certificate is time-valid. On the other hand, recall that the <ds:X509SubjectName> element or the <ds:X509IssuerSerial> elements may be used if the relying party trusts the issuer of the X.509 certificate. So in those cases it makes sense to bind the NotBefore and NotOnOrAfter field from the certificate to the assertion: "If the SAML issuer has reason to believe that the relying party trusts the certificate issuer, the SAML issuer MAY include NotBefore or NotOnOrAfter XML attributes on the <saml:SubjectConfirmationData> element. If so, the values in the assertion MUST be consistent with the values in the certificate. In particular, the value of the NotBefore attribute (resp., the NotOnOrAfter attribute) MUST be greater than or equal to (resp., less than or equal to) the NotBefore field (resp., the NotOnOrAfter field) of the certificate." "If the <saml:SubjectConfirmationData> element includes NotBefore or NotOnOrAfter attributes, and the relying party trusts the issuer of the X.509 certificate, the relying party MUST check that the current time is greater than or equal to (resp., less than or equal to) the value of the NotBefore (resp., the NotOnOrAfter) attribute. If this requirement is not met, the subject is not confirmed and the relying party SHOULD disregard the assertion." Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]