OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML Holder of Key Profile

Tom Scavo wrote on 2009-01-15:
> Does not what?  No, I disagree, the RP must possess an X.509
> certificate known to be associated with the attesting entity.  The RP
> confirms the attesting entity before consuming the HoK assertion.  It
> does this by comparing the X.509 data in the certificate to the X.509
> data bound to the HoK assertion.

He means in advance of receiving the assertion. I think the confusion is
that because you're writing a protocol-neutral set of processing rules,
you're assuming various things would have taken place ahead of time. Perhaps
it's necessary to state those assumptions, not as processing rules like
before but just as "given".

>> When the attesting party presents the SAML Assertion to the RP, the
>> attesting party proves possession of the attesting party's cert.
>  This is where your argument breaks down.  There is no notion of
> "presenter" or "proof of possession" in this profile.  Everything just
> *is*.

That's true within the scope of the profile, but once you embed the profile
into an actual security protocol, both notions emerge as prerequisites
simply because of the definition of subject confirmation. It only applies if
both exist.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]