RE: [imi] Question regarding encryption

[<Axel.Nennker@telekom.de>]

The openinfocard selector transmits the RP's SSL cert to the IdP if and
only if the RequireAppliesTo is in the card chosen by the user.
The IdP is authenticated to the selector by its SSL cert and the user is
authenticated to the IdP by one of the four authentication methods. The
connection is encrypted using SSL.
The xmldap STS always signs the SAML assertion and encrypts it if it has
a public key of a recipient to encrypt it to.
Back to the openinfocard selector: If the the assertion received by the
IdP is SAML and is not encrypted the openinfocard selector encrypts it
using the RP's certificate.   

So if the RP is connected by SSL the SAML assertion is always encrypted
if you use openinfocard.

-Axel

-----Original Message-----
From: Mario Ivkovic [mailto:mario.ivkovic@a-sit.at] 
Sent: Monday, December 07, 2009 11:28 AM
To: imi@lists.oasis-open.org
Subject: [imi] Question regarding encryption

Hi all,

I've a question regarding encryption and privacy. Maybe this has been
already discussed and I missed it.


A security token issued by an IdP is - if the IdP knows the certificate
of the RP - encrypted with the RP's public key.

But if for some reasons the user doesn't want that the IdP knows the RP
but still wants encryption this cannot be done. 
Is it possible to encrypt the token with a public key belonging to the
user (card selector)? The user then decrypts the 
token, verifies it, and then encrypts it again with the RP's public key.

kind regards,

Mario

-- 

DI Mario Ivkovic
A-SIT, Secure Information Technology Center - Austria
Inffeldgasse 16a, A-8010 Graz, Austria
Tel.: +43 (316) 873-5528  Fax.: +43 (316) 873-105521
Mario.Ivkovic@a-sit.at

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php