OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML Holder of Key Profile

Brett Beaumont wrote on 2009-01-16:
> I see now where my confusion arose - much of what I was thinking about
stems
> from the security protocol underneath the profile, rather than the HoK
> assertion itself. In my mind I hadn't separated the protocol from the
> profile :)

Right. The problem is you can't write a single set of rules to share if you
bake in the protocol, but if you don't, it's confusing. Up until now, the
approach everybody has taken is to say nothing about the rules and focus on
the protocol(s).
 
> I was looking at the draft with specific interest in standards for how HoK
> tokens should work with web services. This is really the next level of
> detail down from the HoK profile, that binds the profile to a specific
> security protocol.

It is, but there's also the problem that there are no existing standards of
that nature likely to dictate a profile for HoK. Some of us argue that makes
them fairly worthless for non-trivial interop.

> With respect to Proof of Possession (PoP), perhaps it just needs to be
said
> that obtaining PoP of the cert is an RP responsibility - in order to
comply
> with the definition of the SubjectConfirmationMethod. The means for
> obtaining that proof can be explicitly stated as beyond the scope of the
> profile. When standards bodies then bind the profile to a sepcific
security
> protocol, they can define how PoP should occur within than protocol.

That was pretty much what I suggested earlier in my last email. There are
some assumptions that can hopefully just be enumerated.

> With respect to the term "attesting party", I notice that it isn't defined
> in saml-glossary-2.0-os.pdf, though I'm sure I have seen the term
somewhere
> in the specifications.

There was significant churn over the language around subject confirmation. I
preferred confirming entity just to make it consistent with the element.

> The "attesting party" is the entity presenting the
> SAML token. Under the Web-SSO profiles, the attesting party is technically
> the browser, even though we tend to consider the browser as actually being
> part of the subject. Under a web service model, the attesting party is the
> web service client.

Correct.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]