mace-opensaml-users - RE: Looking for "best practices" regarding handling of keys/certificates
Subject: OpenSAML user discussion
List archive
- From: Mark Wilcox <>
- To: Shannon Kendrick <>,
- Subject: RE: Looking for "best practices" regarding handling of keys/certificates
- Date: Thu, 27 Feb 2003 18:40:47 -0500
- Importance: Normal
Personally it's been a while since I read the SAML spec, so I'm not 100%
sure if it's sent in the response. However if it is sent in the response
there's a variety of ways of choosing how to handle an unknown signature:
1 -- You can make a policy to only accept signatures signed by sites you
trust
2 -- You can make a policy to only accept signatures that were signed by
public keys that in turn have been signed by a site you trust (this is what
X.509 & PKI bring to the table though in theory you could use another
public-key format I suppose like PGP to sign a request).
I would recommend you read upon PKI and Java cryptography to get a better
understanding on the topic.
Mark
> -----Original Message-----
> From:
>
> [mailto:]On
> Behalf Of Shannon
> Kendrick
> Sent: Wednesday, February 26, 2003 12:49 PM
> To:
>
> Subject: Looking for "best practices" regarding handling of
> keys/certificates
>
>
> Being new to SAML and XML Signatures, I'd like to find out what the "best
> practices" are for signature validation of a SAML Response (Browser/POST
> profile). I'm implementing a SSO solution, and I'm trying to
> understand the
> whole sign/verify process. Eventually my site will only need to be the
> recipient of the SAML Response, but initially I'm also creating a SAML
> Response to prototype the SSO functionality.
>
> I'm currently unclear where to get the public key to validate the
> signature.
> Is it typically sent in the SAML Response? If so, how do I know
> it's a valid
> key? Or should I retrieve the key from a Java KeyStore on the filesystem?
> Should I worry about revocation lists?
>
> I realize my questions are not specifically about OpenSAML, but I'm hoping
> that someone on this list has already answered some of my questions.
>
> Thanks in advance,
> Shannon Kendrick
>
>
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- Looking for "best practices" regarding handling of keys/certificates, Shannon Kendrick, 02/26/2003
- RE: Looking for "best practices" regarding handling of keys/certificates, Mark Wilcox, 02/27/2003
- RE: Looking for "best practices" regarding handling of keys/certificates, Scott Cantor, 02/28/2003
- RE: Looking for "best practices" regarding handling of keys/certificates, Scott Cantor, 02/27/2003
- RE: Looking for "best practices" regarding handling of keys/certificates, Mark Wilcox, 02/27/2003
Archive powered by MHonArc 2.6.16.