Skip to Content.
Sympa Menu

shibboleth-dev - Re: Encryption key strategies

Subject: Shibboleth Developers

List archive

Re: Encryption key strategies


Chronological Thread 
  • From: "Reimer Karlsen-Masur, DFN-CERT" <>
  • To:
  • Subject: Re: Encryption key strategies
  • Date: Fri, 23 Jun 2006 10:02:41 +0200

Hi.

Scott Cantor wrote:

> In SSO plus Single Logout plus NameIDMgmt, etc. there's no way to make it
> that clean. So it's a different issue. And again NOT MY QUESTION.
>
> I was asking (quite unsuccessfully apart from Keith) one basic
> question...what's the first domino? Aside from metadata, how else should
> Shib 2.0 obtain public encryption keys? The consensus apparently is
> "nowhere", so asked and answered.

The usual PKI approach is to get the needed public key (i.e. certificate
with encryption keyusage) either from a well known set of keyservers (if
there is a way to reference them uniquely) or to ask the peer for its public
key (again its certificate with encryption keyusage).

In any case the sending (and encrypting) peer must verify the authenticity
of that received certificate by validating the certification path to a
trusted (root-)CA and checking against all CRLs of the involved CAs on this
path and possibly further means.

The keyservers could be a set of LDAP servers whose connection parameters
are specified in the meta data as Keith suggested. LDAP servers URLs, LDAP
basenames etc have to be placed in the meta data of a federation.

To get all CRLs of all involved CAs their URLs must either be known (meta
data) or better retrieved on the fly (and may be cached for a while) from
the validated certificates CDP. The CDP is usually one or better more http
or OCSP URLs or a combination of them.

To get all involved intermediate CA certificates to validate the certificate
chain all validated certificates should use the AIA extension to specify the
http URL where to download its issuing CAs certificate. This CA cert could
be cached as well.

(Or put the stuff into the meta data. But that does not scale.)

Just my 2 cent.
--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page