OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss-comment] Problem with Sender Vouchers example in SAML TokenProfile 1.0 and 1.1

Tom Scavo wrote:
> On Tue, Nov 11, 2008 at 7:58 PM, Glen Mazza <glen.mazza@gmail.com> wrote:
> 
>>The Sender-Vouchers SAML example in both the SAML Token Profile 1.0 and in
>>1.1 appears to be in error--the configuration is using the holder-of-key URN
>>not the sender-vouches one.
>>
>>Links [1] (Question #4) and [2] explain the issue.
> 
> 
> The conclusions of the above thread are basically correct.  Perhaps
> this doc may also help:
> 
> http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation
> 
> 
>>It would be nice if the docs could be updated to remove the confusion.
> 
> 
> Not likely since the WSS TC is closed.
> 

Please look at the examples in the WSS STP more closely.

The examples being referred to depict the use of SAML tokens to allow 
one party (aka, the sender) to attest (i.e., vouch for) for another.

There are 2 SAML assertions. The assertion (referrenced by STR2) 
corresponds to the sender and is HOK confirmed . The assertion that 
correspomds to the party being vouched for (as referrenced by STR1) is 
SV confirmed.

The sender is using its key to sign and thus bind the SV confirmed 
assertion to the message. As such, the sender is using its key to vouch 
for the claims appering in the SV confirmed assertion (which apply to 
another entity).

The HOK assertion of the sender could be replaced with the X509 cert of 
the sender, and the effect would be equivalent. The example shows how 
the same effect can be achieved using only SAML assertions.

The example also shows the use of the STR transform during signing of 
the vouched for assertion, and as such the vouched for assertion does 
not occur in the message. In retrospect, including the vouched for 
assertion in the msg (and depicted the use of the STR transform in 
another example) would have simplified the example, and allowed folks to 
recognize the presence of the SV confirmed assertion.

Ron
>>Regards,
>>Glen
> 
> 
> Tom Scavo
> 
> 
>>[1] http://tinyurl.com/59ucl6
>>[2] http://tinyurl.com/6j89gp
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]