shibboleth-dev - Re: Encryption key strategies
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Subject: Re: Encryption key strategies
- Date: Thu, 22 Jun 2006 13:07:48 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gXHJdEuiKOQoT/h3l9Lp4pg0tcLl0pwNYDuTezzefstX6jxBA7C4bgYTkm9MaJnlxYQt/Pmk4ulRIneFNFP6p4pd38RV0T3GaPxbuAucba12fRQuMmxJA0/opkSuafm7TMSY0+eNF6oxc7ez9oabTaTp9k45D2Gkj+FkcfhpbpE=
On 6/22/06, Scott Cantor
<>
wrote:
Given a requirement to encrypt, whatever the reason, how do I get the public
key of the rceipient?
Metadata?
One answer is obvious, stick the key or a cert in a KeyDescriptor and just
get it.
Agreed. SAMLProf recommends this in fact, but on a profile by profile basis.
The question is what else could/should Shib 2.0 do, if anything, and
if not (and I'm arguing not), what are the implications on other uses of PKI
in the implementation?
I suppose Shib 2.0 should do what SAMLProf suggests (sections 4.1.6,
4.4.5, etc.), that is, rely on use="encryption" in metadata. [By the
way, there's a nasty typo on line 627 of SAMLProf.] Given everything
you've said so far, anything else should put off 'til Shib 2.1.
(Not sure why we're wasting cycles debating this in the Shib list
right now. Doesn't this issue belong in the SSTC?)
That particular profile couldn't have less to do with what I'm asking about
here. That profile says stuff like "X MUST encrypt Y". That's it. I don't
think it ought to go deeper than that. If you're thinking of adding stuff
about reusing keys, it probably won't fly.
Sorry, you need to go back and read sections 4.1.2 and 4.2.2
carefully. The latter, for example, gives the IdP three options to
encrypt the assertion. Two are reuse options. Even the SP has a
reuse option.
Tom
- Re: Encryption key strategies, (continued)
- Re: Encryption key strategies, Chad La Joie, 06/22/2006
- Re: Encryption key strategies, Tom Scavo, 06/22/2006
- Re: Encryption key strategies, Chad La Joie, 06/22/2006
- Re: Encryption key strategies, Tom Scavo, 06/22/2006
- RE: Encryption key strategies, Scott Cantor, 06/22/2006
- Re: Encryption key strategies, Tom Scavo, 06/22/2006
- RE: Encryption key strategies, Scott Cantor, 06/22/2006
- RE: Encryption key strategies, Jim Fox, 06/22/2006
- RE: Encryption key strategies, Scott Cantor, 06/22/2006
- Re: Encryption key strategies, Keith Hazelton, 06/22/2006
- Re: Encryption key strategies, Chad La Joie, 06/22/2006
- Re: Encryption key strategies, Tom Scavo, 06/22/2006
- RE: Encryption key strategies, Scott Cantor, 06/22/2006
- Re: Encryption key strategies, Reimer Karlsen-Masur, DFN-CERT, 06/23/2006
- RE: Encryption key strategies, Scott Cantor, 06/23/2006
- Re: Encryption key strategies, Ian Young, 06/28/2006
- Re: Encryption key strategies, Alistair Young, 06/26/2006
- RE: Encryption key strategies, Scott Cantor, 06/26/2006
- Re: Encryption key strategies, Chad La Joie, 06/22/2006
Archive powered by MHonArc 2.6.16.