imi message

Subject: Re: [imi] Question regarding encryption

From: Mario Ivkovic <mario.ivkovic@a-sit.at>
To: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 07 Dec 2009 18:34:53 +0100

In my envisaged scenario the user would sign an RP defined message and 
transmit it to the IdP. The IdP adds the signed message and the
users public key as additional claims to the token.

I think this could solve the mentioned issues. The IdP does not know the
RP and the RP can be sure that the user is the stated one. Replay
attacks are also not possible because of the signed message which can be 
seen as a HoK proof.

The only problem is, that this is not possible with the current spec.


kind regards,

Mario




-- 

Mario Ivkovic
A-SIT, Secure Information Technology Center - Austria
Inffeldgasse 16a, A-8010 Graz, Austria
Tel.: +43 (316) 873-5528  Fax.: +43 (316) 873-105521
Mario.Ivkovic@a-sit.at

References:
- [OASIS Issue Tracker] Created: (IMI-25) ic09:X509Principal andic09:X509SubjectAndIssuer introduced in locations that violate IMI 1.0schema
  - From: OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>
- Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>
- Re: [imi] Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>
- RE: [imi] Question regarding encryption
  - From: "Scott Cantor" <cantor.2@osu.edu>