Shibboleth Developers

["Josh Howlett" <>]

> > How does the Relying Party, in possession of the client's 
> > public key, use it to validate the client?
> 
> The assertion's delivery is also out of scope. If it's done 
> in a manner that permits a signature or transport binding 
> based on the key, that's your proof. An example would be a 
> WS-Security header containing the assertion and a signature 
> binding the assertion to the message body. Another would be TLS.

Let me re-phrase to check my understanding.

1. The holder-of-key SubjectConfirmation associates the assertion, via a
public key embedded or referenced explicitly within the KeyInfo element,
to the client's corresponding private key. The issuer is the party that
mints the assertion.

2. Possession of the key - and therefore the right to wield the
assertion, either directly or by delegation - can be demonstrated by
binding the assertion, using the corresponding private key (ie. using a
signature), to whatever transport/container the client uses to
encapsulate the assertion for consumption by the RP.

3. The client may be the issuer itself, or a delegate client trusted by
the issuer.

4. An RP validates the assertion by (1) verifying the issuer's signature
on the assertion, and then (2) by checking that the public key given in
the SubjectConfirmation corresponds to the private key used by the
client to bind the assertion to the encapsulating transport/container.

Thanks for your help, josh.


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG