[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] [A20: Prateek] - Need for additionalConfirmationMethod identifie rs
Prateek - Just to be clear, I assume the <ds:KeyInfo> is related to the Subject and not to the mechanism that is providing the assertion. I.e., I assume that the relying party will use <ds:KeyInfo> to challenge the subject to prove possession of private key. If this is the case, then there are multiple ways for the relying party to prove that the subject possesses the private key. I suggest that we not restrict the method of proof to just "digital signatures". I suggest that we use the text: Name: Holder Of Key Text: An additional proof MUST be provided within the context of use of the assertion. The assertion MUST include a <ds:KeyInfo> element within the <saml:SubjectConfirmation> element. The relying party MUST determine the validity of the proof, possibly utilizing the <ds:KeyInfo> element, before processing the assertion. Thanks, Jahan --------------------------- Jahan Moreh Chief Security Architect Sigaba Corp. jmoreh@sigaba.com <mailto:jmoreh@sigaba.com> cell: 310.890.9391 tel: 310.286.3070 >-----Original Message----- >From: Mishra, Prateek [mailto:pmishra@netegrity.com] >Sent: Tuesday, December 11, 2001 8:42 AM >To: 'security-services@lists.oasis-open.org'; 'pbaker@verisign.org' >Subject: [security-services] [A20: Prateek] - Need for additional >ConfirmationMethod identifie rs > > >1) > >Name: Holder Of Key > >Text: An additional digital signature MUST be provided within >the context of >use of the >assertion. The assertion MUST include a <ds:KeyInfo> element within the ><saml:SubjectConfirmation> element. The relying party MUST >determine the >validity of the digital signature, possibly utilizing the <ds:KeyInfo> >element, before >processing the assertion. > > >2) Sender Vouches > >Text: Indicates that no other information is available about >the context of >use of the assertion. The relying >party SHOULD utilize other means to determine if it should process the >assertion further. > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC