[security-services] ISSUE: Can the SenderVouches security model beexpressed with exi sting security infrastructure?

["Mishra, Prateek" <pmishra@netegrity.com>]

[Blakely-WorkItems] proposes an extension of the SOAP profile as found in
bindings-05. The main idea in this architecture is that a subject may
provide
a "trusted" sender with one or more SAML assertions; the sender then obtains
an
attribute assertion holding the senders public key. All of this material is
securely
attached to a business payload via the senders signature (using the sender
private
key). 
 
 
Pictorially:
 
BusinessMessage=
 
[{[Assertions about Subject] [Assertion with Sender Public Key][Payload]}
[Signature]
 
 
A recipient can determine if the BusinessMessage has been tampered by
examination of [Signature]; establish
identity of the sender by examination of [Assertion with Sender Public Key]
and then
process the payload in context of [Assertions about Subject]. This model is
specially
interesting when an end-user lacks private/public key pairs and utilizes a
trusted server
to securely attach assertions to a payload.
 
 
During the bindings con-call on Oct 11, it was suggested that this effect
was
achievable thru existing security infrastructure. Notice that the key issue
above is 
representing the
trust relationship between the sender and recipient. It was argued that 
[Assertion with Sender Public Key] is essentially equivalent  to a X.509
certificate and that the following message architecture is equivalent to the
above:
 
 BusinessMessage= {[Assertions about
Subject][X509.Certificate][Payload]}[Signature] 
 
As before BusinessMessage integrity is guaranteed by the senders signature;
instead of processing [Assertion with Sender Public Key] the recipient
examines
the [X509.Certificate] (this could be generalized to <ds:KeyInfo>) and
determines
whether the sender is trusted to "vouch for" the subject.
 
Comments are invited on this proposed change.
 
 
- prateek