OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Question about the HoK Web Broswer SSO Profile


I wrote a pretty extensive paragraph representing my view of the  
applicability and advantages of the profile into its abstract or  
introduction in the earlier drafts.  It's been torn apart into little  
pieces by now, but here's an earlier edition that basically matches  
what Scott says:

This profile allows for transport and validation of holder-of-key  
assertions by standard HTTP user
agents with no modification of client software and maximum  
compatibility with existing
deployments. Most of the flows are as in standard Web Browser SSO, but  
an X.509 certificate
presented by the user agent supplies a valid keypair through client  
TLS authentication for HTTP
transactions. Cryptographic data resulting from TLS authentication is  
used for holder-of-key
validation of a SAML assertion. This strengthens the assurance of the  
resulting authentication
context and protects against credential theft, giving the service  
provider fresh authentication and
attribute information without requiring it to perform successful  
validation of the certificate.

Take care,

On Feb 22, 2010, at 9:10 PM, Scott Cantor wrote:

> Harold Lockhart wrote on 2010-02-22:
>> 1. A SAML Attribute Statement can be carried in the Assertion, thus  
>> allowing
>> attributes to be associated with the authenticated identity.
> More precisely attributes that aren't inside a certificate and  
> subject to all of the mess that entails (where mess is in the eye of  
> the beholder).
>> 2. If only server certificates are being used, the IDP could  
>> perform the
>> Authnetication for the SP. The SP will still have to know how to do  
>> TLS, but
>> not, for example how to validate a hardware token.
> I suppose that's part of it. To me, the value is in offloading the  
> PKI to the IdP. The SP doesn't have to validate the certificate, it  
> just has to compare it to the one the IdP put in the assertion.
> Of course, this would be more compelling if client TLS wasn't so  
> unusable re: the clients and servers, but that's not something we  
> can solve here.
> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]