>> >> >> >>Sigh, I got the Requester and Presenter the wrong way around. Is this >>then >>best tackled using subject confirmation? If so, would it be too much of a >>stretch to use Holder of Key where the KeyInfo contains a KeyName naming >>the AAA entity? > >That only works in one direction, and I think you need both here.
Not for the specific issue -- of the AAA entity demonstrating its authority to wield the assertion to the RP -- that Sam highlighted. >If this is *really* channel binding, literally, then there's already an >extension for that, but I don't think it's technically CB, just >conceptually similar. > >You have two AAA peers exchanging messages and you want to bind the names >of those endpoints to the names in the messages. That's not CB per se, >it's name association.. That's the other issue that I previously conflated. I don't believe that is channel binding either (although I think the one above definitely is). The SAML name is (as Sam said) essentially an attribute of the assertion against which policy can be applied. As you say, the level of trust that you have in that name is contingent on your trust in the AAA layer. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
