John, Looking at the last diagram, and the discussion on keeping the acquisition of assertions separate from presenting those, I have this basic question (could also be due to my lack of knowledge of SAML assertions :-)):
When a user needs to present the identity assertion, and the "over 21 assertion" from the ID agent, what prevents a man-in-the-middle from mixing and matching assertions? Example: What if I have browser code to take my ID assertion from the ID agent, and someone else's "Over 21" assertion (which I probably captured by posing as a replying party), and passed it on to the replying party. Is this scenario possible? Is there a restriction on who can present an assertion in the assertion itself? Thanks and Regards, Haripriya S. >>> John Merrells <[EMAIL PROTECTED]> 06/06/06 3:27 am >>> On 5- Jun- 06, at 2:42 PM, Eric Rescorla wrote: > > I'm still not sure I get what you're saying. Let me see if I can > try again looking at the flows of data. > > > OPTION 1: What I take DIX to be doing Yes, this interaction diagram is correct. > Client IdP Relying Party > > ------------------------- Service Please ------------ > > <------------------------- Prove you're over 21-------- > > <------- Auth exchange ------ > > <------- Over 21 credential-- > > <----------------- Auth exchange plus over 21 cred ---- > Assuming that at some point earlier the user acquired an over 21 assertion from an appropriate authority. Client Identity Agent Authority ------------------------- Service Please ------------ > <--- Auth/Verify exchange, maybe even out of band ---- > <------- Over 21 credential---------------------------- <--------- Over 21 cred ---- > John _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
