RE: [security-services] Question on X509 Authn-based Attr Sharing Profile

["Scott Cantor" <cantor.2@osu.edu>]

> All, is there a place on the Saml site that describes the 
> usage/validation of the subject using holder-of-key 
> identifier (more detail than the SAML 2 Profile spec)?

No, I asked this earlier. It applies to WSS as well, not anything particular
to SAML. What does "use a ds:KeyInfo to verify..." mean in technical terms?

If trust is out of scope (and it has been), then it means anything. So
interoperability is impossible except in a few cases.

To follow up Rick's last note, I don't think saying "out of band" is enough
unless the plan is to allow any use of the element, as now. If you want
anything more specific, the profile has to say that.

For example, OOB doesn't imply KeyName to me. You could pass the cert, but
still have the binding of cert to entity occur OOB. Metadata is one likely
way, but that's OOB with respect to the SAML assertion.

-- Scott