[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML Holder of Key Profile
Brett Beaumont wrote on 2009-01-16: > I see now where my confusion arose - much of what I was thinking about stems > from the security protocol underneath the profile, rather than the HoK > assertion itself. In my mind I hadn't separated the protocol from the > profile :) Right. The problem is you can't write a single set of rules to share if you bake in the protocol, but if you don't, it's confusing. Up until now, the approach everybody has taken is to say nothing about the rules and focus on the protocol(s). > I was looking at the draft with specific interest in standards for how HoK > tokens should work with web services. This is really the next level of > detail down from the HoK profile, that binds the profile to a specific > security protocol. It is, but there's also the problem that there are no existing standards of that nature likely to dictate a profile for HoK. Some of us argue that makes them fairly worthless for non-trivial interop. > With respect to Proof of Possession (PoP), perhaps it just needs to be said > that obtaining PoP of the cert is an RP responsibility - in order to comply > with the definition of the SubjectConfirmationMethod. The means for > obtaining that proof can be explicitly stated as beyond the scope of the > profile. When standards bodies then bind the profile to a sepcific security > protocol, they can define how PoP should occur within than protocol. That was pretty much what I suggested earlier in my last email. There are some assumptions that can hopefully just be enumerated. > With respect to the term "attesting party", I notice that it isn't defined > in saml-glossary-2.0-os.pdf, though I'm sure I have seen the term somewhere > in the specifications. There was significant churn over the language around subject confirmation. I preferred confirming entity just to make it consistent with the element. > The "attesting party" is the entity presenting the > SAML token. Under the Web-SSO profiles, the attesting party is technically > the browser, even though we tend to consider the browser as actually being > part of the subject. Under a web service model, the attesting party is the > web service client. Correct. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]