OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile

On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote:
> What
> if I don't physically present a certificate or a key, but I login with a
> password to an account that is known out of band to be mapped to a key? I
> should still be able to issue a HoK assertion.

Good point.

> Separately, I would continue to argue that the profile would be better if it
> forced a consistent key-based processing model. If I put a certificate into
> the assertion, I want to be able to confirm that assertion with that key,
> period. The fact that other syntaxes can also be used doesn't change the
> value of that processing rule, because of the ubiquity and convenience of
> certificates. I argue that there is no value in forcing certificate
> equality, and advantages to not doing so. Consistency across the different
> syntaxes, for one.

I agree this is one of two open issues (the other is conformance).  If
a key-based processing model doesn't otherwise detract from a PKI (if
one happens to exist), I could support it.  I'm not yet convinced
that's the case, however, which is why I proposed a natural processing
model based on the particular X.509 data item bound to the assertion.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]