[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: issues with sstc-saml2-holder-of-key-draft-02
On Mon, Aug 25, 2008 at 11:26 AM, Tom Scavo <trscavo@gmail.com> wrote: > For the purposes of discussion, this is a brief summary of the open > issues regarding the "SAML V2.0 Holder-of-Key Assertion Profile": > > http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation I've recently uploaded draft-03, including a diff. > 1. Should the non-normative Background section (2.2) be eliminated (or > significantly pared down)? The "Background" section has been changed to "Profile Description" and has been trimmed. > 2. The following two normative requirements are specified: > > i) The presenter MUST present an X.509 public key certificate > ii) The presenter MUST prove possession of the corresponding private key > > Should these requirements be removed from the profile? These requirements have been removed. In draft-03, there is no mention of a presenter or the act of proving possession of a private key. All that remains is the mere existence of an X.509 certificate. How an issuer or relying party obtains the certificate is out of scope. > 3. Is there a need for a ProofInstant attribute (analogous to AuthnInstant)? Although I think there may be a need, no such attribute was added (since it would require a discussion of the proof of possession step, which has been removed). > 4. How should a relying party process ds:X509Certificate, by comparing > certificates (byte for byte) or comparing keys? A "relying party MUST confirm that the DER-encoded certificate bound to the assertion matches the X.509 certificate...by comparing the certificates, or the hash values of the certificates, byte-for-byte." > 5. What are the conformance requirements? (Currently, > ds:X509Certificate and ds:X509SKI are specified as required to > implement.) The conformance requirements have been simplified so that <ds:X509Certificate> is mandatory to implement by both the issuer and the relying party. However, it may be desirable to require the issuer to support all four elements (<ds:X509Certificate>, <ds:X509SKI>, <ds:X509SubjectName>, and <ds:X509IssuerSerial>). I'll leave this open to discussion. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]