Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] How to determine, as an RP, security token procedence

One other future possibility is that issuers place a SAML meta-data file with there signing keys that is derefrencable via there issuer URL/entityID.

That would be the SAML way to do it.   I know InCommon will be doing that for there cards.

John B.
On 2009-09-23, at 8:46 PM, David Campos wrote:

Default IdP tokens are issued with a NoProofKey as KeyType so there is no information about who belongs the modulus and exponent that compound the RSA public key. I don't know, from this token, how to infer the level of assurance of the issuer...

How should I build the whitelist according to this?

Thanks,
---
David Campos


On Wed, Sep 23, 2009 at 17:44, John Bradley <ve7jtb@xxxxxxxxxx> wrote:
You look at the issuer/entityID in the SAML token if it is a SAML token.

How you trust the issuer is a bit more complicated.  It depends on how the white list is constructed.

For the GSA the whitelist contains the signing certificates and LoA for each issuer.

Depending on the issuer they may not be sending a certificate, only the RSA public key.

If you try and use the key directly things will break the first time the IdP renews there certificate.

John B.

On 2009-09-23, at 9:54 AM, David Campos wrote:

Hello all,

I know that maybe this is not an iCard normal scenario, since RP should not know anything about who made the token but... there is any way that could allow RP to know that a token comes from a trusted IdP? I guess that it should exist any way to do it because depending of the procedence the token may be more or less trustable...

I don't think that this has something to do with appliesTo, since that parameter will send IdP certificate through the net and this would trash almost all anonymity between RP and IdP. I would like a method to know that the token is reliable and not to know directly who issued it.

Thanks for any help you can give me :)

Regards,
---
David Campos
Safelayer Secure Communications
DMAG UPC Researcher
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev


Back to the top