[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] SAML core editors: an item to put into do c
> For a question in this approach: What is the "Name" used for? > What format is it in? If you say that the name is used for > authentication, say for SSL, does that mean the serviced > behind the URI should only respond with that identity? Basically the idea is that if you want to support signed assertions with the trust model that Shibboleth is starting out with, you have to have a way to tell the requester (or preconfigure into it) that when it asks for an attribute assertion, the name of the thing that will be signing the assertion is "foo", even though the host at which the authority runs is called "bar". With SSL alone, it could extrapolate the name from the binding and verify identity like a web browser does (with the attendant limitations), but to go beyond that, the name has to be explicit in order for it to be arbitrary. > Who is the authority that vouches for that authority identity? It's PKI, so it's either bootstrapped into the requester or based on a CA of some sort, presumably. The reason the requester trusts that the authority actually has that name is because the original response via the browser POST profile is signed by a Shibboleth handle service and those services are preconfigured as trusted into the target. The trust is transitive from the handle service to the AA it specifies the requester should use (you trust me, so you should trust the thing called foo for some period of time). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC