OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Questions re <ConfirmingSubject>

> If (per lines 1672-1674) an <AuthnRequest> names one or more optional
> entities expected to be able to confirm the resulting assertion, does this
> mean that the assertion cannot also be confirmed by others if they can
> satisfy the confirmation method?

Well, I think it's possible to think of it in a couple of ways. In one
sense, the point is that those confirming entities would be named/identified
in the assertion, and the authority/IdP would presumably need to know which
keys (assuming the HOK method) to put in.

Obviously, it depends on the confirmation method. Right now, we know of
bearer, sender vouches, and HOK. Only the last really makes much sense in
this context, and so you're really saying can anybody with the key confirm
the assertion? And of course that's a yes.

Another aspect is to say whether other specific entities could be named by
the authority as other confirming entities, and I leave that to the group,
but I'd be inclined to say the authority can do what it likes as long as it
at least does what's asked.

> The clauses at 1672-1674 and 1677-1679 cite MUSTs for identified entities
> having the ability to confirm assertions per the designated confirmation
> method.  Unless I'm misunderstanding, this seems like an unusual sort of
> MUST from a protocol conformance perspective:

I actually went back and forth on that part and didn't really know what to
say, exactly. I agree with you. My point was really more trying to answer
the question as to whether the authority should bother to "partially"
fulfill the request, and because of the cost of signing, I guess I came down
on the side of saying not. The idea was that if you get an AuthnRequest and
you're told to allow HOK confirmation by Bob and you don't know Bob's key,
return an error.

But that's not quite the same thing as saying the confirming entities MUST
be able to do so, which is not possible for the authority to know.

I needed a firmed up picture of what Subject and SubjectConfirmation would
look like, once fixed, in order to know quite what I wanted to say, which is
more along the lines of "the entity identified by a ConfirmingSubject MUST
appear in the assertion's <Foo> element in such and such a way". So it's not
quite as strong a MUST as what's there now.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]