shibboleth-dev - RE: Gridshib profile
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: "'Tom Scavo'" <>, "'Von Welch'" <>
- Cc: "'Thomas Lenggenhager'" <>, <>
- Subject: RE: Gridshib profile
- Date: Fri, 4 Mar 2005 13:26:25 -0500
- Organization: The Ohio State University
> Thomas' point is well taken, however. We must mitigate the
> possibility that a grid service could request attributes for any user.
> Perhaps there is some comfort in the fact that the DN in the proxy
> cert is short-lived, so if we make sure that the DN binding at the IdP
> expires along with the proxy cert, this is good enough.
The LionShare approach to this is (I think) to use something like the
current crypto handle plugin to generate an encrypted string containing the
principal and expiration data and then have the AA plugin decrypt that to
recover the identity. It just requires that the CA issuing the short-term
cert have the plugin to generate that DN.
-- Scott
- Re: Gridshib profile, Von Welch, 03/03/2005
- Re: Gridshib profile, Tom Scavo, 03/04/2005
- RE: Gridshib profile, Scott Cantor, 03/04/2005
- <Possible follow-up(s)>
- GridShib profile, Tom Scavo, 03/08/2005
- RE: GridShib profile, Scott Cantor, 03/08/2005
- Re: GridShib profile, Tom Barton, 03/08/2005
- RE: GridShib profile, Scott Cantor, 03/08/2005
- Re: GridShib profile, Tom Barton, 03/08/2005
- RE: GridShib profile, Scott Cantor, 03/08/2005
- Re: GridShib profile, Tom Scavo, 03/08/2005
- RE: GridShib profile, Scott Cantor, 03/09/2005
- Re: GridShib profile, Tom Scavo, 03/10/2005
- RE: GridShib profile, Scott Cantor, 03/10/2005
- Re: GridShib profile, Tom Scavo, 03/10/2005
- RE: GridShib profile, Scott Cantor, 03/08/2005
- Re: Gridshib profile, Tom Scavo, 03/04/2005
Archive powered by MHonArc 2.6.16.