Re: [imi] Philosophical questions

[Michael McIntosh <mikemci@us.ibm.com>]

John Bradley <jbradley@mac.com> wrote on 04/02/2009 02:14:42 PM:

> [image removed]
>
> [imi] Philosophical questions
>
> John Bradley
>
> to:
>
> imi
>
> 04/02/2009 02:15 PM
>
> 1: Should a p-card STS generate a token for a revoked cert?  Perform  
> OCSP/CRL validation separate from the browser.

Not sure whether the STS always knows the certificate.
My understanding of CardSpace is that the selector and personal token generator (STS) are integrated.
Therefore, its relatively safe to say the STS knows what the selector knows (i.e. the RP SSL cert).
That does not always need to be the case; a selector could send an RST (containing a ClientPsuedonym) to an STS which would never see the certificate and therefore could not decide anything based on it.

> 2: Should a p-card STS generate a token for an expired cert.  If so  
> which PPID alg should be used?  Should it ignore the fact that it is  
> expired and assume the user has overridden the browser for a good  
> reason?  Should it use case 3 even if it is a EV or other cert with a  
> non empty O= but expired?

This is a policy decision. In reality there are many reasons a certificate would be "invalid" (revoked, expired, incorrect usage, does chain to trusted root, etc.) Some deployment scenarios might require very strict adherence to a validation policy. Other might be less strict. Sadly, there are many internal sites I need to use in my job that have untrusted/expired SSL certificates. If a selector didn't let me get there, I would not (could not) choose not to go to the site, I'd choose another selector.

>
> 3: Should a p-card STS generate a token for a self signed cert, using  
> Case 3 sec 7.6.1.
>
>
> I think 3 is a easy answer but 1 and 2 are more complicated especially  
> if the STS may be running on w separate computer.
>
> Opinions welcome.
>
> John B.