[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Question about the HoK Web Broswer SSO Profile
Hal, I wrote a pretty extensive paragraph representing my view of the applicability and advantages of the profile into its abstract or introduction in the earlier drafts. It's been torn apart into little pieces by now, but here's an earlier edition that basically matches what Scott says: This profile allows for transport and validation of holder-of-key assertions by standard HTTP user agents with no modification of client software and maximum compatibility with existing deployments. Most of the flows are as in standard Web Browser SSO, but an X.509 certificate presented by the user agent supplies a valid keypair through client TLS authentication for HTTP transactions. Cryptographic data resulting from TLS authentication is used for holder-of-key validation of a SAML assertion. This strengthens the assurance of the resulting authentication context and protects against credential theft, giving the service provider fresh authentication and attribute information without requiring it to perform successful validation of the certificate. Take care, Nate. On Feb 22, 2010, at 9:10 PM, Scott Cantor wrote: > Harold Lockhart wrote on 2010-02-22: >> 1. A SAML Attribute Statement can be carried in the Assertion, thus >> allowing >> attributes to be associated with the authenticated identity. > > More precisely attributes that aren't inside a certificate and > subject to all of the mess that entails (where mess is in the eye of > the beholder). > >> 2. If only server certificates are being used, the IDP could >> perform the >> Authnetication for the SP. The SP will still have to know how to do >> TLS, but >> not, for example how to validate a hardware token. > > I suppose that's part of it. To me, the value is in offloading the > PKI to the IdP. The SP doesn't have to validate the certificate, it > just has to compare it to the one the IdP put in the assertion. > > Of course, this would be more compelling if client TLS wasn't so > unusable re: the clients and servers, but that's not something we > can solve here. > > -- Scott > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]