[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile
Hi Peter, On Tue, Nov 18, 2008 at 12:55 PM, Peter Sylvester <Peter.Sylvester@edelweb.fr> wrote: > > I am bit confused about what is written in the > > http://saml.xml.org/news/holder-of-key-web-browser-sso-profile > > "The service provider should rely on no information from the certificate > beyond the key; instead, it consumes the assertion to create a security > context." Well, first of all, I suggest you read the profile first hand: http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile since what you find on saml.xml.org may or may not be technically correct. Second, you're not the first to ask about this issue (which says something to me). In fact, it came up in that (long) thread in the IETF PKIX WG. > An X509 certicate bind a public key to some identity (or more) assuming > that you do identity based authorisation for example. So one needs the > identity information, this is MORE that the DN. No, in this case, the identity is in the SAML, not the X.509. In general, the relying party does not trust the issuer of the X.509 certificate, but the latter is required at the TLS layer so that the presenter can prove possession of the private key. It is this proof-of-possession step that makes the profile work. The identity in the certificate does not come into play. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]