[OGSA-AUTHZ] [gridshib-user] SAML Assertions with namespace prefix - SAMLAssertionPushPIP fails

David Chadwick d.w.chadwick at kent.ac.uk
Mon May 12 16:48:32 CDT 2008 

Hi Tom

Tom Scavo wrote:
> On Sun, May 11, 2008 at 7:45 AM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>>> The SAML assertion is holder-of-key
>>> while the AC is (essentially) sender-vouches.
>>  Actually the SAML assertion is also sender vouches, because the sender
>>  vouches for the attributes that are in the assertion. So does it really
>>  matter, given that the sender is vouching for the attributes, that it
>>  can also vouch for the subject name. To me, it does not. If I trust you
>>  to say what my attributes are, I must also trust you to say who I am (or
>>  what my ID is).
> 
> I don't disagree with you, David, but the fact remains that the SAML
> token issued by VOMS (according to the profile) is holder-of-key, not
> sender-vouches.  If we bind the SAML token to a proxy certificate and
> present the latter to a resource provider, the holder-of-key subject
> confirmation on the SAML token is not met, and so the RP is obliged to
> discard the SAML token.

Actually this is not true. The RP is not obliged to do anything. The RP 
is the root of trust and can decide to ignore all the advice of the AA, 
and decide to accept anything it wants to. Here is a real life example. 
Safeway (the AA) issue discount coupons ($5 off for $50 spend) to users 
of its stores, and the coupons state quite categorically "only to be 
used in Safeway stores, not exchangeable ....etc". But if you take the 
coupon to WalMart (the RP) they will honor the coupon and give you $5 
off your $50 shopping. The RP is free to ignore anything the AA says, 
since it is the RP. Of course the AA will not take any responsibility 
for this, but then the RP does not mind.

regards

David

> 
> I suggest we take the rest of this discussion over to the OGF AuthZ-WG
> mailing list since that is where this problem must be addressed.
> 
> Tom
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list