Canada is working on that profile. The FICAM profiel of how PKI and SAML work together uses federation meta data so that the commercial IdP don't all have to use certificates issued from a single CA. As inter federation becomes more complex using meta-data allows IdP top participate in multiple federations without having to set up separate endpoints with different signing certificates for each federation. Both work, and are relatively well understood. There are problems with SAML products not performing path validation, and understanding extensions and polices that The Canadian profile is attempting to address. The problem is that what you want for PKI trust management in SAML is more complicated than what people do for SSL. So the products tend to only have basic path walking to a certificate store and perhaps OCSP. Some people will say that the current state of PKI in SAML only gives the illusion of security, and is not scaleable or flexible. To get it to work at all people devolve to doing direct key comparisons of certificates manually configured into there software, so in many ways they jus ignore the PKI features with the possible exception of someone possibly checking it on import. We are looking at producing a paper to better explain the meta-data option. It uses Asymmetric signatures but not the PKIX trust hierarchy. The FICAM SAML 2.0 WEB SSO profile has a fair amount of information. There is a outstanding issue of what the Federation operator uses to sign the meta-data for inter federation. However that is mostly a issue at the Federation operator level. I expect that there will be one or more CA with CPS for issuing high trust certificates for non-person entities to sign federation meta-data with. At our current scale it is mostly a theoretical issue. Pairwise federation agreements will go a long way. John B. On 2011-03-15, at 5:48 PM, Bucci, Debbie (NIH/CIT) [E] wrote:
"...actual profile of how SAML trust management and PKI work together ..."
Maybe it's time to create one
-- Deb _______________________________________________ WG-FI mailing list WG-FI@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-fi