imi message

Subject: RE: [imi] Question regarding encryption

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Mario Ivkovic'" <mario.ivkovic@a-sit.at>
Date: Mon, 7 Dec 2009 08:50:55 -0500

Mario Ivkovic wrote on 2009-12-07:
> I was thinking of a government-driven IdP where users probably don't want
> the IdP to know all services they use.

The problem is that bearer tokens are not very safe to use without audience
restrictions. Non-auditing mode is fine in theory and broken in practice
unless a holder of key model is used.
 
-- Scott

References:
- [OASIS Issue Tracker] Created: (IMI-25) ic09:X509Principal andic09:X509SubjectAndIssuer introduced in locations that violate IMI 1.0schema
  - From: OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>
- Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>
- Re: [imi] Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>