On 5/8/08, Tom Scavo <trscavo@gmail.com> wrote:

There's a problem with the Attribute Exchange Profile it seems. If
you bind a VOMS-SAML token to a SOAP message and authenticate via
WS-Security SAML Token Profile, everything is fine because the key
bound to the SAML token is the same key presented to the RP.

"the key bound to the SAML token is the same key presented to the RP", here you meant the the key bound to SAML Token is the same key which signs the VOMS-SAML token? If so, I can not see any real scenario for this. The VOMS-SAML token (or any other attribute token) should be signed by some AA, but the "hold-of key" situation in SAML Token (WS-Security) should present the principle of the identity (which means should be the identity certificate which signed by some CA).

However,
if you bind a VOMS-SAML token to a proxy certificate, there are
problems since the key presented to the RP is different than the key
bound to the SAML token, and so the holder-of-key subject confirmation
on the assertion is not satisfied.

Why is it a problem here? Why can't we just put VOMS-SAML token into proxy certificate, and look it the same way as traditional VOMS AC (attribute certificate)?

An RP is obliged to reject the
SAML token in that case.

Here's an example of a SAML token with holder-of-key subject confirmation:

http://www.globus.org/mail_archive/gridshib-user/2008/05/msg00011.html

Now a VOMS AC is essentially a security token with sender-vouches
subject confirmation, so I wonder if the VOMS-SAML assertion should
have sender-vouches subject confirmation as well.

I agree.

Alternatively, the
proxy certificate could be constructed such that its key is the same
key bound to the EEC.

The same as above, the AA and CA should not be mixed, I guess.

In that case, the SAML holder-of-key subject
confirmation requirement would be met since all the bound keys (EEC,
proxy, SAML) are the same.

Regards,

Weizhong