Re: [higgins-dev] The certificate issue in the managed i-card backed wit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] The certificate issue in the managed i-card backed with a personal i-card

From: Michael McIntosh <mikemci@xxxxxxxxxx>
Date: Sun, 3 Feb 2008 10:17:36 -0500
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

I agree that this is an issue and suggest that we "standardize" on an
alternate application specific store (e.g. icardcerts.jks) that is searched
either before or after the cacerts store.
This way we can update this file without impacting the overall security of
other applications that share the same JVM and cacerts file.

Regaqrds,
Mike

higgins-dev-bounces@xxxxxxxxxxx wrote on 02/03/2008 06:22:45 AM:

>
> Hi,
>
> We were trying a scenario where we use a managed card that backed
> with a personal card. (that means, the identity provider of this
> card needs authenticate through a SAML token; and when the managed
> card try to access the issuer, it need first use a personal card to
> get the SAML token.)
>
> Here, when the identity provider creates the managed card, it
> requires the end-user providing a personal card's PPID, and write
> this PPID into the managed card as the credential.
>
> Later, when an end-user use this managed card to login some RP site,
> it need to find the personal card according to this PPID. But for
> personal card, the PPID is not a fixed string, but a function of the
> card and the RP site. So then card selector has to compute this PPID
> for every personal cards, and find which one can compute out a value
> that equals to the one inside the managed card.
>
> The issue here is, the PPID computing function need not just the
> certificate (inside the managed card), but the whole certificate chain.

>
> Currently, our implementation is, we try to create the chain by
> searching the "cacerts" file of the JVM. But this means that the
> end-user have to put the root certificate into the JVM's carcerts
> manually, otherwise, most of the IdPs can not be used.
>
> Does anyone have some ideas here?
>
> Li Tie | IBM Lotus | Eclipse committer | Phone: 86-10-82452494 |
> Tieline: 9052494_______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev

References:
- [higgins-dev] The certificate issue in the managed i-card backed with a personal i-card
  - From: Tie Li

Prev by Date: [higgins-dev] The certificate issue in the managed i-card backed with a personal i-card
Next by Date: [higgins-dev] Broken link to Higgins downloads - 404 error for links under nightly builds
Previous by thread: [higgins-dev] The certificate issue in the managed i-card backed with a personal i-card
Next by thread: [higgins-dev] Broken link to Higgins downloads - 404 error for links under nightly builds
Index(es):
- Date
- Thread

Breadcrumbs