[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[higgins-dev] Selectors and proof keys
|
Hi All,
Given the knowledge and expertise on this list, I wanted to ask a
general Information Card question that is not particular to Higgins.
I hope you all don't mind.
Do selectors sign/encrypt the message sent to the RP when it requires
a proof key? Specifically, if I have an RP that requires an
asymmetric proof key and a user hits it in their browser, is this the
general flow?
1. The selector comes up as usual and the user selects a card.
2. The selector sends the STS an RST w/ a KeyType of asymmetric.
3. The STS creates a token (which includes the proof key encrypted w/
the RP's public key) and send it back in an RSTR which also includes
the proof key (outside the token) which is encrypted w/ the selectors
public key.
5. The selector decrypt the proof key using its private key
6. It signs/encrypts a message and the security token w/ the proof key
and sends it to the RP.
7. The RP's policy is satified because the token is from a trusted
issuer and includes a proof key that the RP can use to ensure that the
message was sent by the entity that the STS issued the token for.
This is standard stuff, but my confusion comes about because someone
very knowledgeable in WS-Trust and WS-Federation told me that
selectors always send RPs bearer tokens just like browser-based
passive clients. The Identity Selector Interop Profile says that an
RP can require a proof key, so I'm wondering if the spec and real life
are different. Is it correct that selectors only use bearer tokens or
do they sign/encrypt messages with proof keys?
TIA!
--
Regards,
Travis Spencer
