[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [wss] SAML binding and Urn:ietf:rfc:3075
section "3.4 Proof-of-Possession of Security Tokens" of the SAML binding lists the XML Signature authentication method "Urn:ietf:rfc:3075" as a mandatory subject confirmation mechanism. I think this "authentication mechanism" should be removed from the list of mandatory SAML subject confirmation mechanisms. Assertions containing a "holder-of-key" subject confirmation method indicate that the sender of the assertion must demonstrate knowledge of some key data. Presumably, such knowledge could be demonstrated by various means; xml signature being one, although what must be signed would likely also need to qualified (by the msg receiver). In addition to xml-signature, the same holder-of-key assertion could likely be confirmed by another type of cipher operation such as xml encryption. I believe the specification of how knowledge of the key is demonstrated should NOT be conveyed in the assertion, but rather in information like that being proposed by the QOP work, where a service description might describe the proof or proofs that are required of the message sender. Thoughts/comments? Ron
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC