OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] SAML core editors: an item to put into do c


> For a question in this approach: What is the "Name" used for? 
> What format is it in? If you say that the name is used for 
> authentication, say for SSL, does that mean the serviced 
> behind the URI should only respond with that identity?

Basically the idea is that if you want to support signed assertions with
the trust model that Shibboleth is starting out with, you have to have a
way to tell the requester (or preconfigure into it) that when it asks
for an attribute assertion, the name of the thing that will be signing
the assertion is "foo", even though the host at which the authority runs
is called "bar".

With SSL alone, it could extrapolate the name from the binding and
verify identity like a web browser does (with the attendant
limitations), but to go beyond that, the name has to be explicit in
order for it to be arbitrary.

> Who is the authority that vouches for that authority identity?

It's PKI, so it's either bootstrapped into the requester or based on a
CA of some sort, presumably.

The reason the requester trusts that the authority actually has that
name is because the original response via the browser POST profile is
signed by a Shibboleth handle service and those services are
preconfigured as trusted into the target. The trust is transitive from
the handle service to the AA it specifies the requester should use (you
trust me, so you should trust the thing called foo for some period of
time).

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC