OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] error in wss-v1.1-spec-cs-SAMLTokenProfile and3.5.2.4 examples

Greg Whitehead wrote:

> These sections are supposed to show examples of the sender-vouches 
> subject confirmation method, but the assertions in the examples are 
> holder-of-key.
> -Greg
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in 
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Greg,

The attesting entity signed the sender-vouches assertion using a key 
by a (second) hok assertion. The hok assertion is in the msg. The 
assertion is not in the msg.

The example is an all-saml formulation. The second assertion could have 
an x509 certificate or a kerberos service ticket (for example) - and the 
signing ket could
also have been conveyed by reference.

How this clarifies things, and thanks,


> Example V1.1
> The following example illustrates an attesting entity’s use of the 
> sender-vouches subject confirmation
> method with an associated <ds:Signature> element to establish its 
> identity and to assert that it has
> sent the message body on behalf of the subject(s) of the V1.1 
> assertion referenced by “STR1”.
> The assertion referenced by “STR1” is not included in the message. 
> “STR1” is referenced by
> <ds:Reference> from <ds:SignedInfo>. The ds:Reference> includes the 
> STR-transform to
> cause the assertion, not the <SecurityTokenReference> to be included 
> in the digest calculation.
> “STR1” includes a <saml:AuthorityBinding> element that utilizes the 
> remote assertion referencing
> technique depicted in the example of section 3.3.3.
> The SAML V1.1 assertion embedded in the header and referenced by 
> “STR2” from <ds:KeyInfo>
> corresponds to the attesting entity. The private key corresponding to 
> the public confirmation key occurring
> in the assertion is used to sign together the message body and 
> assertion referenced by “STRI”.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]