[OGSA-AUTHZ] holder-of-key or sender-vouches SAML token?
Tom Scavo
trscavo at gmail.com
Thu May 8 13:01:52 CDT 2008
There's a problem with the Attribute Exchange Profile it seems. If
you bind a VOMS-SAML token to a SOAP message and authenticate via
WS-Security SAML Token Profile, everything is fine because the key
bound to the SAML token is the same key presented to the RP. However,
if you bind a VOMS-SAML token to a proxy certificate, there are
problems since the key presented to the RP is different than the key
bound to the SAML token, and so the holder-of-key subject confirmation
on the assertion is not satisfied. An RP is obliged to reject the
SAML token in that case.
Here's an example of a SAML token with holder-of-key subject confirmation:
http://www.globus.org/mail_archive/gridshib-user/2008/05/msg00011.html
Now a VOMS AC is essentially a security token with sender-vouches
subject confirmation, so I wonder if the VOMS-SAML assertion should
have sender-vouches subject confirmation as well. Alternatively, the
proxy certificate could be constructed such that its key is the same
key bound to the EEC. In that case, the SAML holder-of-key subject
confirmation requirement would be met since all the bound keys (EEC,
proxy, SAML) are the same.
Thoughts?
Tom
More information about the ogsa-authz-wg
mailing list