Re: [wss] error in wss-v1.1-spec-cs-SAMLTokenProfile 3.5.2.3 and 3.5.2.4 examples

[Greg Whitehead <greg.whitehead@hp.com>]

I think now I'm even more confused now.

Isn't this section supposed to show how one would use a sender- 
vouches assertion? I guess it's fine to show use of a holder-of-key  
assertion to sign the message, but wouldn't the sender-vouches  
assertion need to be included if it's in play? Otherwise, this is  
just a holder-of-key example.

-Greg

On Feb 27, 2006, at 8:01 AM, Ron Monzillo wrote:

> Greg Whitehead wrote:
>
>> These sections are supposed to show examples of the sender-vouches  
>> subject confirmation method, but the assertions in the examples  
>> are holder-of-key.
>>
>> -Greg
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. You may a link to this group and all your TCs  
>> in OASIS
>> at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/ 
>> my_workgroups.php
>
> Hi Greg,
>
> The attesting entity signed the sender-vouches assertion using a  
> key identified
> by a (second) hok assertion. The hok assertion is in the msg. The  
> sender-vouches
> assertion is not in the msg.
>
> The example is an all-saml formulation. The second assertion could  
> have been
> an x509 certificate or a kerberos service ticket (for example) -  
> and the signing ket could
> also have been conveyed by reference.
>
> How this clarifies things, and thanks,
>
> Ron
>
>>
>> 3.5.2.3 Example V1.1
>> The following example illustrates an attesting entity’s use of the  
>> sender-vouches subject confirmation
>> method with an associated <ds:Signature> element to establish its  
>> identity and to assert that it has
>> sent the message body on behalf of the subject(s) of the V1.1  
>> assertion referenced by “STR1”.
>> The assertion referenced by “STR1” is not included in the message.  
>> “STR1” is referenced by
>> <ds:Reference> from <ds:SignedInfo>. The ds:Reference> includes  
>> the STR-transform to
>> cause the assertion, not the <SecurityTokenReference> to be  
>> included in the digest calculation.
>> “STR1” includes a <saml:AuthorityBinding> element that utilizes  
>> the remote assertion referencing
>> technique depicted in the example of section 3.3.3.
>> The SAML V1.1 assertion embedded in the header and referenced by  
>> “STR2” from <ds:KeyInfo>
>> corresponds to the attesting entity. The private key corresponding  
>> to the public confirmation key occurring
>> in the assertion is used to sign together the message body and  
>> assertion referenced by “STRI”.
>
>
>