OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] [A20: Prateek] - Need for additionalConfirmationMethod identifie rs

Prateek -
Just to be clear, I assume the <ds:KeyInfo> is related to the Subject and
not to the mechanism that is providing the assertion. I.e., I assume that
the relying party will use <ds:KeyInfo> to challenge the subject to prove
possession of private key.  If this is the case, then there are multiple
ways for the relying party to prove that the subject possesses the private
key. I suggest that we not restrict the method of proof to just "digital
signatures". I suggest that we use the text:

Name: Holder Of Key

Text: An additional proof MUST be provided within
the context of
use of the
assertion. The assertion MUST include a <ds:KeyInfo> element within the
<saml:SubjectConfirmation> element. The relying party MUST
determine the
validity of the proof, possibly utilizing the <ds:KeyInfo>
element, before
processing the assertion.

Thanks,
Jahan




---------------------------
Jahan Moreh
Chief Security Architect
Sigaba Corp.
jmoreh@sigaba.com <mailto:jmoreh@sigaba.com>
cell: 310.890.9391
tel: 310.286.3070





>-----Original Message-----
>From: Mishra, Prateek [mailto:pmishra@netegrity.com]
>Sent: Tuesday, December 11, 2001 8:42 AM
>To: 'security-services@lists.oasis-open.org'; 'pbaker@verisign.org'
>Subject: [security-services] [A20: Prateek] - Need for additional
>ConfirmationMethod identifie rs
>
>
>1)
>
>Name: Holder Of Key
>
>Text: An additional digital signature MUST be provided within
>the context of
>use of the
>assertion. The assertion MUST include a <ds:KeyInfo> element within the
><saml:SubjectConfirmation> element. The relying party MUST
>determine the
>validity of the digital signature, possibly utilizing the <ds:KeyInfo>
>element, before
>processing the assertion.
>
>
>2) Sender Vouches
>
>Text: Indicates that no other information is available about
>the context of
>use of the assertion. The relying
>party SHOULD utilize other means to determine if it should process the
>assertion further.
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC