[OGSA-AUTHZ] holder-of-key or sender-vouches SAML token?
Tom Scavo
trscavo at gmail.com
Sun May 11 15:37:19 CDT 2008
On Sun, May 11, 2008 at 7:45 AM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> > The key in the SAML token is the same as the key in the
> > end-entity certificate, not the proxy certificate.
> >
> > > > Now a VOMS AC is essentially a security token with sender-vouches
> > > > subject confirmation, so I wonder if the VOMS-SAML assertion should
> > > > have sender-vouches subject confirmation as well.
> > > >
> > > I agree.
> >
> > That requires a change to the Attribute Exchange Profile, I'm afraid.
>
> Why not scrap the confirmation field anyway? Just have the subject DN.
> It is enough isnt it?
The AA doesn't have any choice with respect to the name identifier
since the query completely determines the name identifier that the AA
MUST use in the assertion. The <SubjectConfirmation> element, on the
other hand, is up to AA's discretion. It essentially tells the RP
what it must do to confirm the subject (and therefore accept the
assertion). So the question is: What should the RP be instructed to
do to confirm the subject? Rephrasing the question in terms of VOMS:
What does an RP need to do to accept a VOMS AC? The SAML assertion
should be profiled similarly, I suspect.
Tom
More information about the ogsa-authz-wg
mailing list