Hi Tom Tom Scavo wrote:

On Sun, May 11, 2008 at 7:45 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:

...

...

The SAML assertion is holder-of-key while the AC is (essentially) sender-vouches. Actually the SAML assertion is also sender vouches, because the sender vouches for the attributes that are in the assertion. So does it really matter, given that the sender is vouching for the attributes, that it can also vouch for the subject name. To me, it does not. If I trust you to say what my attributes are, I must also trust you to say who I am (or what my ID is).

I don't disagree with you, David, but the fact remains that the SAML token issued by VOMS (according to the profile) is holder-of-key, not sender-vouches. If we bind the SAML token to a proxy certificate and present the latter to a resource provider, the holder-of-key subject confirmation on the SAML token is not met, and so the RP is obliged to discard the SAML token.

Actually this is not true. The RP is not obliged to do anything. The RP is the root of trust and can decide to ignore all the advice of the AA, and decide to accept anything it wants to. Here is a real life example. Safeway (the AA) issue discount coupons ($5 off for $50 spend) to users of its stores, and the coupons state quite categorically "only to be used in Safeway stores, not exchangeable ....etc". But if you take the coupon to WalMart (the RP) they will honor the coupon and give you $5 off your $50 shopping. The RP is free to ignore anything the AA says, since it is the RP. Of course the AA will not take any responsibility for this, but then the RP does not mind. regards David

I suggest we take the rest of this discussion over to the OGF AuthZ-WG mailing list since that is where this problem must be addressed.

Tom

-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************