[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML2 Holder-of-Key Assertion Profile
On Fri, Aug 15, 2008 at 2:54 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > What > if I don't physically present a certificate or a key, but I login with a > password to an account that is known out of band to be mapped to a key? I > should still be able to issue a HoK assertion. Yes, that's a very good point. In fact, it exposes a flaw in the current profile: an issued <saml:SubjectConfirmation> element must include a timestamp. Since the <saml:SubjectConfirmationData> element is extensible, this is fairly easy: <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType" xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key" hok:ProofInstant="2008-08-08T18:01:27.712Z"> <ds:KeyInfo> <ds:X509Data> <!-- X.509 data here --> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> In the same way that ForceAuthn affects AuthnInstant, a requester can force proof of possession by including an appropriate boolean value in a requested <saml:SubjectConfirmation> element: <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType" xmlns:hok="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key" hok:ForceProof="true"> <ds:KeyInfo> <ds:X509Data> <!-- X.509 data here --> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> Unless there are objections, I'll include these requirements (and schema) in the next version of the HoK Assertion Profile. Thanks, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]