OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Correction to my diatribe about assertion Subjects on last call

On Thu, Nov 20, 2008 at 1:38 PM, Nate Klingenstein <ndk@internet2.edu> wrote:
> So, here's the text I'd propose for draft -10:
> ●       The <saml:Subject> element of every assertion returned MUST refer to
> the principal.  It is allowable for the content of the <saml:Subject>
> elements to differ, e.g. using a different <saml:NameID> or
> <saml:SubjectConfirmation> elements.
> ●       The set of one or more assertions MUST contain at least one
> <saml:AuthnStatement> that reflects the authentication of the principal to
> the identity provider.

"one or more holder-of-key assertions"

> ●       Any assertion issued for consumption using this profile  MUST be a
> holder-of-key assertion as defined in [SAML2HoKAP] and adhere to section 1.4
> therein.  If the <samlp:AuthnRequest> does not contain a <saml:Subject> with
> a <saml:SubjectConfirmation>, and the service provider does not indicate
> otherwise, such as through metadata,

How is this done with metadata?

> every assertion in the response MUST
> contain a <ds:X509Certificate> element in its <ds:X509Data>.  This
> certificate SHOULD be DER-encoded.

Strike that last sentence.  There is no requirement that the assertion
be DER-encoded.

> Other certificate information MAY be
> included in additional child elements of <ds:X509Data>.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]