OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] error in wss-v1.1-spec-cs-SAMLTokenProfile and examples

I think now I'm even more confused now.

Isn't this section supposed to show how one would use a sender- 
vouches assertion? I guess it's fine to show use of a holder-of-key  
assertion to sign the message, but wouldn't the sender-vouches  
assertion need to be included if it's in play? Otherwise, this is  
just a holder-of-key example.


On Feb 27, 2006, at 8:01 AM, Ron Monzillo wrote:

> Greg Whitehead wrote:
>> These sections are supposed to show examples of the sender-vouches  
>> subject confirmation method, but the assertions in the examples  
>> are holder-of-key.
>> -Greg
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. You may a link to this group and all your TCs  
>> in OASIS
>> at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/ 
>> my_workgroups.php
> Hi Greg,
> The attesting entity signed the sender-vouches assertion using a  
> key identified
> by a (second) hok assertion. The hok assertion is in the msg. The  
> sender-vouches
> assertion is not in the msg.
> The example is an all-saml formulation. The second assertion could  
> have been
> an x509 certificate or a kerberos service ticket (for example) -  
> and the signing ket could
> also have been conveyed by reference.
> How this clarifies things, and thanks,
> Ron
>> Example V1.1
>> The following example illustrates an attesting entity’s use of the  
>> sender-vouches subject confirmation
>> method with an associated <ds:Signature> element to establish its  
>> identity and to assert that it has
>> sent the message body on behalf of the subject(s) of the V1.1  
>> assertion referenced by “STR1”.
>> The assertion referenced by “STR1” is not included in the message.  
>> “STR1” is referenced by
>> <ds:Reference> from <ds:SignedInfo>. The ds:Reference> includes  
>> the STR-transform to
>> cause the assertion, not the <SecurityTokenReference> to be  
>> included in the digest calculation.
>> “STR1” includes a <saml:AuthorityBinding> element that utilizes  
>> the remote assertion referencing
>> technique depicted in the example of section 3.3.3.
>> The SAML V1.1 assertion embedded in the header and referenced by  
>> “STR2” from <ds:KeyInfo>
>> corresponds to the attesting entity. The private key corresponding  
>> to the public confirmation key occurring
>> in the assertion is used to sign together the message body and  
>> assertion referenced by “STRI”.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]