There is any way to request TokenService to use less privacy (at least since I know how to deal with LoA and those things) and send its x.509 certificate?
Should I just use AppliesTo cards and request it on RP? Thanks for your reply, --- David Campos On Thu, Sep 24, 2009 at 03:30, John Bradley <[email protected]> wrote: > One other future possibility is that issuers place a SAML meta-data file > with there signing keys that is derefrencable via there issuer URL/entityID. > That would be the SAML way to do it. I know InCommon will be doing that > for there cards. > > John B. > On 2009-09-23, at 8:46 PM, David Campos wrote: > > Default IdP tokens are issued with a NoProofKey as KeyType so there is no > information about who belongs the modulus and exponent that compound the RSA > public key. I don't know, from this token, how to infer the level of > assurance of the issuer... > > How should I build the whitelist according to this? > > Thanks, > --- > David Campos > > > On Wed, Sep 23, 2009 at 17:44, John Bradley <[email protected]> wrote: > >> You look at the issuer/entityID in the SAML token if it is a SAML token. >> >> How you trust the issuer is a bit more complicated. It depends on how the >> white list is constructed. >> >> For the GSA the whitelist contains the signing certificates and LoA for >> each issuer. >> >> Depending on the issuer they may not be sending a certificate, only the >> RSA public key. >> >> If you try and use the key directly things will break the first time the >> IdP renews there certificate. >> >> John B. >> >> On 2009-09-23, at 9:54 AM, David Campos wrote: >> >> Hello all, >>> >>> I know that maybe this is not an iCard normal scenario, since RP should >>> not know anything about who made the token but... there is any way that >>> could allow RP to know that a token comes from a trusted IdP? I guess that >>> it should exist any way to do it because depending of the procedence the >>> token may be more or less trustable... >>> >>> I don't think that this has something to do with appliesTo, since that >>> parameter will send IdP certificate through the net and this would trash >>> almost all anonymity between RP and IdP. I would like a method to know that >>> the token is reliable and not to know directly who issued it. >>> >>> Thanks for any help you can give me :) >>> >>> Regards, >>> --- >>> David Campos >>> Safelayer Secure Communications >>> DMAG UPC Researcher >>> _______________________________________________ >>> higgins-dev mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/higgins-dev >>> >> >> _______________________________________________ >> higgins-dev mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/higgins-dev >> > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
