shibboleth-dev - RE: [Shib-Dev] lessons learned from AD FS 2.0
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] lessons learned from AD FS 2.0
- Date: Mon, 25 Oct 2010 16:51:10 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
Is the function of metadata to enforce/express key management, or not? Or is
it there (only) to drive the audience controls?
Remember, in SAML2, KMI is orthogonal to (a) metadata and (b) the
writer-to-reader service of such as the authnReq protocol (based on signing
and enciphering services) which applies crypto to enforce the audience
controls (and other similar controls such as authorized IDP proxing).
Many of the errors of PKI (vs simple X.509 certs) were encountered when
overloading onto its capabilities as a 1) strong auth and 2_ trust
distribution infrastructure ...(i) functions of key management and then (ii)
policy-controls on associated key usages. Don't make the same error twice.
Key Usages are best NOT managed using PKI (despite what Entrust tried to
persuade the world, based on certain mgt domain theories used in Canadian
MOD); or metadata.
I know it's tempting to overload metadata and I know the pressure to exert
centralized control over nodes' access to crypto is inexorable. But, keep the
security engineering functions separate!
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Scavo
Sent: Monday, October 25, 2010 4:40 PM
To:
Subject: Re: [Shib-Dev] lessons learned from AD FS 2.0
On Mon, Oct 25, 2010 at 11:03 AM, Scott Cantor
<>
wrote:
>
>> > 3. Every role descriptor SHOULD have at most one encryption key.
>>
>> We don't make such a restriction, and in fact (SP) entities often
>> have
> more
>> than one encryption key during key rollover.
>
> Tom's point is that in theory that isn't needed, since both keys are
> available to the sofwtare, so you can switch the key rather than add
> them,
> *if* you control the use attribute and can distinguish signing vs.
> encryption.
Correct.
> This is true, but IMHO just makes the situation harder to understand,
> not simpler.
That's debatable, but the proof is in the pudding, I suppose. I'll write up
some documentation so folks can decide for themselves.
One thing seems clear, however. If every <md:KeyDescriptor> element in
metadata had an explicit 'use' attribute, it would be much easier for
everybody. So, as Ian observed, our tools need to support this (which is
probably the most important lesson I've learned from all of this).
Tom
- [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/24/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/24/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/24/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/24/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/24/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Ian Young, 10/25/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/25/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/25/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Peter Williams, 10/25/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/25/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/25/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/28/2010
- Re: [Shib-Dev] lessons learned from AD FS 2.0, Tom Scavo, 10/25/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/25/2010
- RE: [Shib-Dev] lessons learned from AD FS 2.0, Scott Cantor, 10/24/2010
Archive powered by MHonArc 2.6.16.