OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Question on X509 Authn-based Attr Sharing Profile

> Scott, can you elaborate on your point about "Metadata is 
> only likely way ..." Were you suggesting one could use 
> metadata to map user entities (key names) to their certs?

No, I didn't mean metadata is the *only* way (it's just one way of doing OOB
key exchange), and no, I didn't mean it applied to this particular case,
just that it's an example of a mechanism where keys might be exchanged OOB
of SAML assertions but the assertion might still contain a cert and not just
a KeyName.

Signed assertions, for example, typically have the signing cert in them, but
the actual exchange of the key could still be OOB.

So when you asked is it OOB (KeyName), I was trying to say OOB != KeyName to

What is the typical content of ds:KeyInfo with holder-of-key today? SAML 2.0
hasn't changed anything, apart from acknowledging that ownership of the key
is different from "being the subject".

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]