Default IdP tokens are issued with a NoProofKey as KeyType so there is no information about who belongs the modulus and exponent that compound the RSA public key. I don't know, from this token, how to infer the level of assurance of the issuer...
How should I build the whitelist according to this? Thanks, --- David Campos On Wed, Sep 23, 2009 at 17:44, John Bradley <[email protected]> wrote: > You look at the issuer/entityID in the SAML token if it is a SAML token. > > How you trust the issuer is a bit more complicated. It depends on how the > white list is constructed. > > For the GSA the whitelist contains the signing certificates and LoA for > each issuer. > > Depending on the issuer they may not be sending a certificate, only the RSA > public key. > > If you try and use the key directly things will break the first time the > IdP renews there certificate. > > John B. > > On 2009-09-23, at 9:54 AM, David Campos wrote: > > Hello all, >> >> I know that maybe this is not an iCard normal scenario, since RP should >> not know anything about who made the token but... there is any way that >> could allow RP to know that a token comes from a trusted IdP? I guess that >> it should exist any way to do it because depending of the procedence the >> token may be more or less trustable... >> >> I don't think that this has something to do with appliesTo, since that >> parameter will send IdP certificate through the net and this would trash >> almost all anonymity between RP and IdP. I would like a method to know that >> the token is reliable and not to know directly who issued it. >> >> Thanks for any help you can give me :) >> >> Regards, >> --- >> David Campos >> Safelayer Secure Communications >> DMAG UPC Researcher >> _______________________________________________ >> higgins-dev mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/higgins-dev >> > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
