OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: HoK Assertion Request Profiles (draft-01)

To followup with more introductory information, this first draft of
the HoK Assertion Request Profiles is intentionally conservative:

- SSL/TLS is required.
- Only one HoK assertion and one AuthnStatement are allowed (but one
or more AttributeStatements are permitted).
- If the X.509 certificate is untrusted, a "meaningless certificate"
[AIXCM] is required.
- Every request satisfies the logical equivalent of IsPassive="true"
and ForceAuthn-"true".

Also, there are a number of open issues (right off the bat):

- I'm not sure if the HoK Self-Request Profile (section 2) is a
protocol or a profile.
- The Issuer (which is a DN) signals the use of this profile.  Is
there an easier way to signal this profile?

I look forward to your comments.


On Sun, Dec 7, 2008 at 7:54 PM, Tom Scavo <trscavo@gmail.com> wrote:
> Draft-01 of the SAML V2.0 Holder-of-Key Assertion Request Profiles has
> been uploaded to kavi:
> http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest
> This initial draft document describes how a subject self-issues a SAML
> request and obtains a holder-of-key SAML assertion using an
> AuthnRequest or an AttributeQuery.
> Tom Scavo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]