OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Proposed text on Subject Confirmation Methods

Title: Proposed text on Subject Confirmation Methods

I am still carrying this as an issue.

All changes go in section 7.1
I think the following changes are required as a minimum.

Add 7.1.13 Bearer
URI: something
The subject of the assertion is the party that presents the assertion.

1610, 1630, 1645
insert refrerence to [SHA1]

[SHA1] RFC3174. D. Eastlake, 3rd, P. Jones US Secure Hash Algorithm 1 (SHA1) September 2001 http://www.ietf.org/rfc/rfc3174.txt

Change all occurances of "SHA-1" to "SHA1."

replace line with "<SubjectConfirmationKey>: Base64 (A Kerberos 5 Service Ticket)"

The exact syntax and semantics of SubjectConfirmationData can only be determined by reference to a SAML Profile that specifies its use or by private agreement. SubjectConfirmationData is not intended to be used to enable a Relying Party to be able to impersonate the Subject.


My preference would be to drop all of the following:

"SAML Artifact (SHA1)" - unneeded as it duplicates the unhashed version (actually I would rather get rid of the unhashed version, but the Artifact Profile specifies its use for some reason.

"Password (Pass-Through)" - unneeded and dangerous as it duplicates the hashed version

"SSL/TLS Certificate Based Client Authentication" duplicates Holder of Key.

"PKCS#7 - duplicates Holder of Key

"Cryptographic Message Syntax" duplicates Holder of Key

"XML Digital Signature" can't understand how this could be used. Is this supposed some sort of XML certificate? If so, the format is undefined.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC