OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] HolderOfKey and SenderVouches are slipping thruthe cracks(!)

An apparent side-effect of our placing the responsibility for defining
ConfirmationMethod identifiers with SAML profiles and bindings is having the
HolderOfKey and SenderVouches ConfirmationMethods sort of disappear. 

The are not mentioned in Prateek's proposed changes to bindings-model-13...

Proposed changes to bindings-13 to includedefinition of SAML Confirmation
Method identifiers

Note that we explicitly listed them among the four ConfirmationMethods we felt
we wanted to retain..

Minutes for Focus Group Telecon Tue 2-Apr -2002

> Presently defined & employed ConfirmationMethods (and attendant
> SubjectConfirmationData values) will be defined in appropriate places in the
> subsequent version of bindings-model-xx, and it'll also have a (sub)section
> summarizing the presently defined & employed ConfirmationMethods...
>  holderOfKey
>  bearer
>  sender vouches
>  artifact

This situation is likely due to there not being an obvious place in
bindings-model-13 to define holderOfKey and SenderVouches. 

Additionally, we'd agreed that there ought to be a summary section (appendix?)
that lists all the ConfirmationMethods defined in the spec. 

A proposal to solve this is to concot a short, specific subsection of section 3
"Bindings" (3.2, say) along the lines of..

3.2 ConfirmationMethod Identifiers 

Assertions returned by SAML responders in response to any SAML requests MAY
contain ConfirmationMethod identifiers defined in this subsection, or MAY
contain ConfirmationMethod identifiers defined elsewhere in this specification
(e.g. in profiles), or MAY contain ConfirmationMethod identifiers defined in
other specification or by private agreement. Use and interpretation of
ConfirmationMethod identifiers is profile- or application-specific. See 

3.2.1 Holder of Key: 

  URI: urn:oasis:names:tc:SAML:1.0:cm:Holder-Of-Key

  <ds:KeyInfo>: Any cryptographic key

  The subject of the assertion is the party that can demonstrate that it 
  is the holder of the private component of the key specified in <ds:KeyInfo>
  of the enclosing <SubjectConfirmation> element. 

3.2.2 Sender Vouches: 

  URI: urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

  Indicates that no other information is available about the context of 
  use of the assertion. The Relying party SHOULD utilize other means to
  determine if it should process the assertion further. 

...and add this appendix near the end of the spec....

X Appendix: ConfirmationMethods summary 

These confirmation methods are defined in this specificaiton:

  Identifier                                         See section
  ----------                                         -----------

  urn:oasis:names:tc:SAML:1.0:cm:Holder-Of-Key        3.2.1

  urn:oasis:names:tc:SAML:1.0:cm:sender-vouches       3.2.2




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC