OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-05

> - In lines 377--379, I'm concerned that the assertion "MAY be signed
> if the HTTP Artifact binding is used," especially in light of the note
> on lines 389--390.  I believe a HoK assertion MUST be signed,
> regardless of how it is obtained.

In response to Nate, he's right. There is no such requirement.

Signing is orthogonal to HoK, just like it's orthogonal to bearer.

Signing might be important for other reasons, but in a point to point
exchange, the signature can be replaced by any equivalent integrity and
authentication mechanism to ensure it came as is from the IdP.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]