Re: [higgins-dev] Selectors and proof keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] Selectors and proof keys

From: John Bradley <ve7jtb@xxxxxxxxxx>
Date: Tue, 15 Dec 2009 21:34:41 -0300
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

You should have a look at the IMI spec.

Sec 3.3.5 The default if no key type is specified in the RP policy then the selector should request a asymmetric key token from the STS by default.

If you are using a RP/STS you can do Holder of Key proofs.   It is true that HoK doesn't work through a browser at the moment.

The selector creates a ephemeral keypair to use for the subject confirmation.
For a non-auditing card the RP's public key is not sent to the STS and there is no audience restriction.
The selector encrypts the token for the RP using the RP's public key.

In the case where the user has selected  an auditing card.  The RP's certificate is sent to the IP/STS.
The URI of the object tag is used for the audience restriction and the public key of the RP is used to encrypt the token.

John B.

On 2009-12-15, at 9:02 PM, Travis Spencer wrote:

> Hi All,
> 
> Given the knowledge and expertise on this list, I wanted to ask a
> general Information Card question that is not particular to Higgins.
> I hope you all don't mind.
> 
> Do selectors sign/encrypt the message sent to the RP when it requires
> a proof key?  Specifically, if I have an RP that requires an
> asymmetric proof key and a user hits it in their browser, is this the
> general flow?
> 
> 1. The selector comes up as usual and the user selects a card.
> 2. The selector sends the STS an RST w/ a KeyType of asymmetric.
> 3. The STS creates a token (which includes the proof key encrypted w/
> the RP's public key) and send it back in an RSTR which also includes
> the proof key (outside the token) which is encrypted w/ the selectors
> public key.
> 5. The selector decrypt the proof key using its private key
> 6. It signs/encrypts a message and the security token w/ the proof key
> and sends it to the RP.
> 7. The RP's policy is satified because the token is from a trusted
> issuer and includes a proof key that the RP can use to ensure that the
> message was sent by the entity that the STS issued the token for.
> 
> This is standard stuff, but my confusion comes about because someone
> very knowledgeable in WS-Trust and WS-Federation told me that
> selectors always send RPs bearer tokens just like browser-based
> passive clients.  The Identity Selector Interop Profile says that an
> RP can require a proof key, so I'm wondering if the spec and real life
> are different.  Is it correct that selectors only use bearer tokens or
> do they sign/encrypt messages with proof keys?
> 
> TIA!
> 
> -- 
> 
> Regards,
> 
> Travis Spencer
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [higgins-dev] Selectors and proof keys
  - From: Travis Spencer

References:
- [higgins-dev] Selectors and proof keys
  - From: Travis Spencer

Prev by Date: [higgins-dev] Selectors and proof keys
Next by Date: Re: [higgins-dev] Selectors and proof keys
Previous by thread: [higgins-dev] Selectors and proof keys
Next by thread: Re: [higgins-dev] Selectors and proof keys
Index(es):
- Date
- Thread

Breadcrumbs