[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] error in wss-v1.1-spec-cs-SAMLTokenProfile 3.5.2.3 and3.5.2.4 examples
Greg Whitehead wrote: > These sections are supposed to show examples of the sender-vouches > subject confirmation method, but the assertions in the examples are > holder-of-key. > > -Greg > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Hi Greg, The attesting entity signed the sender-vouches assertion using a key identified by a (second) hok assertion. The hok assertion is in the msg. The sender-vouches assertion is not in the msg. The example is an all-saml formulation. The second assertion could have been an x509 certificate or a kerberos service ticket (for example) - and the signing ket could also have been conveyed by reference. How this clarifies things, and thanks, Ron > > 3.5.2.3 Example V1.1 > The following example illustrates an attesting entity’s use of the > sender-vouches subject confirmation > method with an associated <ds:Signature> element to establish its > identity and to assert that it has > sent the message body on behalf of the subject(s) of the V1.1 > assertion referenced by “STR1”. > The assertion referenced by “STR1” is not included in the message. > “STR1” is referenced by > <ds:Reference> from <ds:SignedInfo>. The ds:Reference> includes the > STR-transform to > cause the assertion, not the <SecurityTokenReference> to be included > in the digest calculation. > “STR1” includes a <saml:AuthorityBinding> element that utilizes the > remote assertion referencing > technique depicted in the example of section 3.3.3. > The SAML V1.1 assertion embedded in the header and referenced by > “STR2” from <ds:KeyInfo> > corresponds to the attesting entity. The private key corresponding to > the public confirmation key occurring > in the assertion is used to sign together the message body and > assertion referenced by “STRI”.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]