On 11/11/13, 10:52 PM, "Josh Howlett" <[email protected]> wrote: > >Sigh, I got the Requester and Presenter the wrong way around. Is this then >best tackled using subject confirmation? If so, would it be too much of a >stretch to use Holder of Key where the KeyInfo contains a KeyName naming >the AAA entity?
That only works in one direction, and I think you need both here. If this is *really* channel binding, literally, then there's already an extension for that, but I don't think it's technically CB, just conceptually similar. You have two AAA peers exchanging messages and you want to bind the names of those endpoints to the names in the messages. That's not CB per se, it's name association.. And more to the point, you're not signing the messages, so nothing you put into them is trusted above and beyond the AAA exchange already is. If your requirement is to prevent a AAA entity from subverting the exchange by misusing a message, you need something else to vouch for the relationship. That's metadata, or the equivalent. It can't be in the message. That only works if you're signing them independently of the AAA channel so that you can mutually authenticate the SAML layer. Then you might have channel binding for real because you can bind the channel from the authentication of the exchange on top of it. At least that's my read of it. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
