Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Selectors and proof keys 
On Tue, Dec 15, 2009 at 4:34 PM, John Bradley <ve7jtb@xxxxxxxxxx> wrote:
> It is true that HoK doesn't work through a browser at the moment.

What about when the selector is invoked because a user browses to a
Web page that has an info card HTML object tag in it?  When the
selector sends that Web site relying party the security token, is that
token and the HTML message signed/encrypted with a proof key by the
selector?  I've been told it can't be because the selector is out of
the picture by the time the STS sends the RSTR.  The selector requests
the token, but the last mile is just HTML and JavaScript.  The
selector (a fat client), which has the technological wherewithal to
sign and encrypt messages, is long gone by this point, so it can't do
a HoK proof and the browser can't either.  Thus, all security tokens
presented to Web site relying parties are bearer tokens even when info
card is used.  Is this correct?

-- 

Regards,

Travis Spencer

Back to the top