[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] How to determine, as an RP, security token procedence
|
You look at the issuer/entityID in the SAML token if it is a SAML token.
How you trust the issuer is a bit more complicated. It depends on how
the white list is constructed.
For the GSA the whitelist contains the signing certificates and LoA
for each issuer.
Depending on the issuer they may not be sending a certificate, only
the RSA public key.
If you try and use the key directly things will break the first time
the IdP renews there certificate.
John B.
On 2009-09-23, at 9:54 AM, David Campos wrote:
Hello all,
I know that maybe this is not an iCard normal scenario, since RP
should not know anything about who made the token but... there is
any way that could allow RP to know that a token comes from a
trusted IdP? I guess that it should exist any way to do it because
depending of the procedence the token may be more or less trustable...
I don't think that this has something to do with appliesTo, since
that parameter will send IdP certificate through the net and this
would trash almost all anonymity between RP and IdP. I would like a
method to know that the token is reliable and not to know directly
who issued it.
Thanks for any help you can give me :)
Regards,
---
David Campos
Safelayer Secure Communications
DMAG UPC Researcher
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev