[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss-comment] Problem with Sender Vouchers example in SAML Token Profile 1.0 and 1.1
On Wed, Nov 12, 2008 at 9:51 AM, Ron Monzillo <Ronald.Monzillo@sun.com> wrote: > Tom Scavo wrote: >> >> On Tue, Nov 11, 2008 at 7:58 PM, Glen Mazza <glen.mazza@gmail.com> wrote: >> >>> It would be nice if the docs could be updated to remove the confusion. >> >> Not likely since the WSS TC is closed. > > Please look at the examples in the WSS STP more closely. I have, on many occasions, and there are many flaws. In the first example on lines 191--227 of SAML Token Profile 1.1, there are the following problems: - The type of the <saml:SubjectStatement> element is abstract, therefore it may not be used as a concrete element in a SAML V1.1 assertion. The <saml:SubjectStatement> element is an extension point only. - The SAML V1.1 assertion has two different subjects. Although this is legal, there is no use for such an assertion. In fact, SAML V2.0 removes this capability and therefore the two examples in this section are not equivalent. Note there is a spec that calls out this issue: http://wiki.oasis-open.org/security/SamlSubjectProfiles - Both sender-vouches and holder-of-key are used in the same assertion. Since an assertion is only as strong as its weakest subject confirmation method, this is not a realistic example to say the least. That's just the first example :-) Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]