Hi All, Given the knowledge and expertise on this list, I wanted to ask a general Information Card question that is not particular to Higgins. I hope you all don't mind.
Do selectors sign/encrypt the message sent to the RP when it requires a proof key? Specifically, if I have an RP that requires an asymmetric proof key and a user hits it in their browser, is this the general flow? 1. The selector comes up as usual and the user selects a card. 2. The selector sends the STS an RST w/ a KeyType of asymmetric. 3. The STS creates a token (which includes the proof key encrypted w/ the RP's public key) and send it back in an RSTR which also includes the proof key (outside the token) which is encrypted w/ the selectors public key. 5. The selector decrypt the proof key using its private key 6. It signs/encrypts a message and the security token w/ the proof key and sends it to the RP. 7. The RP's policy is satified because the token is from a trusted issuer and includes a proof key that the RP can use to ensure that the message was sent by the entity that the STS issued the token for. This is standard stuff, but my confusion comes about because someone very knowledgeable in WS-Trust and WS-Federation told me that selectors always send RPs bearer tokens just like browser-based passive clients. The Identity Selector Interop Profile says that an RP can require a proof key, so I'm wondering if the spec and real life are different. Is it correct that selectors only use bearer tokens or do they sign/encrypt messages with proof keys? TIA! -- Regards, Travis Spencer _______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
