[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Question regarding encryption
Hi John, thanks for your quick response. I'll check how some of the publicly available IdPs handle non-auditing cards. > In principal if a user doesn't want a IdP to know where they are using the card, they should use a p-card or choose a > issuer they trust. I was thinking of a government-driven IdP where users probably don't want the IdP to know all services they use. kind regards, Mario John Bradley schrieb: > Mario, > > If a auditing mode card is not used, there is no audience restriction in the SAML token. > > The response is encrypted to the selector and then the selector encrypts it to the RP. > > In both cases the RP receives a token encrypted with it's public key. > > If the RP is not SSL the token is not encrypted to the RP in ether case. > > Auditing or not is largely (read the spec for auditing optional) controlled by the issuer, and is pert of the card > meta-data. > > A user has control by selecting a auditing card or a non-auditing card. However the selectors don't show the user > what sort of card it is. They could do it, but the current ones don't to my knowledge. > > > John B. On 2009-12-07, at 7:28 AM, Mario Ivkovic wrote: > >> Hi all, >> >> I've a question regarding encryption and privacy. Maybe this has been already discussed and I missed it. >> >> >> A security token issued by an IdP is - if the IdP knows the certificate of the RP - encrypted with the RP's public >> key. >> >> But if for some reasons the user doesn't want that the IdP knows the RP but still wants encryption this cannot be >> done. Is it possible to encrypt the token with a public key belonging to the user (card selector)? The user then >> decrypts the token, verifies it, and then encrypts it again with the RP's public key. >> >> kind regards, >> >> Mario >> >> -- >> >> DI Mario Ivkovic A-SIT, Secure Information Technology Center - Austria Inffeldgasse 16a, A-8010 Graz, Austria Tel.: >> +43 (316) 873-5528 Fax.: +43 (316) 873-105521 Mario.Ivkovic@a-sit.at >> >> --------------------------------------------------------------------- To unsubscribe from this mail list, you must >> leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- DI Mario Ivkovic A-SIT, Secure Information Technology Center - Austria Inffeldgasse 16a, A-8010 Graz, Austria Tel.: +43 (316) 873-5528 Fax.: +43 (316) 873-105521 Mario.Ivkovic@a-sit.at
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]