On Sun, May 11, 2008 at 7:45 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
The key in the SAML token is the same as the key in the end-entity certificate, not the proxy certificate.
Now a VOMS AC is essentially a security token with sender-vouches subject confirmation, so I wonder if the VOMS-SAML assertion should have sender-vouches subject confirmation as well.
I agree.
That requires a change to the Attribute Exchange Profile, I'm afraid.
Why not scrap the confirmation field anyway? Just have the subject DN. It is enough isnt it?
The AA doesn't have any choice with respect to the name identifier since the query completely determines the name identifier that the AA MUST use in the assertion. The <SubjectConfirmation> element, on the other hand, is up to AA's discretion. It essentially tells the RP what it must do to confirm the subject (and therefore accept the assertion). So the question is: What should the RP be instructed to do to confirm the subject? Rephrasing the question in terms of VOMS: What does an RP need to do to accept a VOMS AC? The SAML assertion should be profiled similarly, I suspect. Tom