[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Question regarding encryption
--Apple-Mail-1113-566660407 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii In the US ICAM profile for IMI auditing mode cards are required, but the = IdP are restricted from using the information. The practical problem is that the large IdP are not going to provide = valuable verified attributes to unknown relying parties. They want the ability to protect a user from sending there verified SSN = and and other personal info to a Phishing site. So in the US at-least there is no non-auditing option at the moment for = the gov. This puts IMI, SAML, openID and FPKI (the OCSP request gives = away where the cert is used) in the same boat.=20 So yes if a issuer was allowed to issue the card by the gov and a issuer = chose to issue it, and the user understood the difference they could = elect to use that card to protect there privacy from the issuer. Part of the US situation is cultural. They generally trust the private = sector more than the government. That is why they don't have a = national ID. Other jurisdictions may have different views on privacy. =20 I think however that it will be difficult to get issuers to put verified = attributes on non auditing cards for a number of business related = reasons. If in the other-hand it was the Gov being the issuer I can easily see = that as being non-auditing. John B. On 2009-12-07, at 10:22 AM, Mario Ivkovic wrote: > Hi John, >=20 > thanks for your quick response. I'll check how some of the publicly = available IdPs handle non-auditing cards. >=20 >> In principal if a user doesn't want a IdP to know where they are = using the card, they should use a p-card or choose a >> issuer they trust. >=20 > I was thinking of a government-driven IdP where users probably don't = want the IdP to know all services they use. >=20 >=20 > kind regards, >=20 > Mario >=20 > John Bradley schrieb: >> Mario, >> If a auditing mode card is not used, there is no audience = restriction in the SAML token. >> The response is encrypted to the selector and then the selector = encrypts it to the RP. >> In both cases the RP receives a token encrypted with it's public key. >> If the RP is not SSL the token is not encrypted to the RP in ether = case. >> Auditing or not is largely (read the spec for auditing optional) = controlled by the issuer, and is pert of the card >> meta-data. >> A user has control by selecting a auditing card or a non-auditing = card. However the selectors don't show the user >> what sort of card it is. They could do it, but the current ones = don't to my knowledge. >=20 >> John B. On 2009-12-07, at 7:28 AM, Mario Ivkovic wrote: >>> Hi all, >>> I've a question regarding encryption and privacy. Maybe this has = been already discussed and I missed it. >>> A security token issued by an IdP is - if the IdP knows the = certificate of the RP - encrypted with the RP's public >>> key. >>> But if for some reasons the user doesn't want that the IdP knows the = RP but still wants encryption this cannot be >>> done. Is it possible to encrypt the token with a public key = belonging to the user (card selector)? The user then >>> decrypts the token, verifies it, and then encrypts it again with the = RP's public key. >>> kind regards, >>> Mario >>> -- >>> DI Mario Ivkovic A-SIT, Secure Information Technology Center - = Austria Inffeldgasse 16a, A-8010 Graz, Austria Tel.: >>> +43 (316) 873-5528 Fax.: +43 (316) 873-105521 = Mario.Ivkovic@a-sit.at >>> = --------------------------------------------------------------------- To = unsubscribe from this mail list, you must >>> leave the OASIS TC that generates this mail. Follow this link to = all your TCs in OASIS at: = https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >=20 >=20 > --=20 >=20 > DI Mario Ivkovic > A-SIT, Secure Information Technology Center - Austria > Inffeldgasse 16a, A-8010 Graz, Austria > Tel.: +43 (316) 873-5528 Fax.: +43 (316) 873-105521 > Mario.Ivkovic@a-sit.at >=20 > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php=20= --Apple-Mail-1113-566660407 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISjTCCA2gw ggLRoAMCAQICEB33j5shi+K5JpDD+pT/JY8wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTIxMjAxNTQzMVoXDTA5MTIxMjAxNTQz MVowgZ8xHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxHzAdBgkqhkiG9w0BCQEWEGpi cmFkbGV5QG1hYy5jb20xHjAcBgkqhkiG9w0BCQEWD2picmFkbGV5QG1lLmNvbTEdMBsGCSqGSIb3 DQEJARYOdmU3anRiQG1hYy5jb20xHDAaBgkqhkiG9w0BCQEWDXZlN2p0YkBtZS5jb20wggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEHYYZtnmnyZW2DXoJINd4XwXcP7mxuzwvhv9ise38 G+1B0TwZjbTZxSSj9v+tdNQDQkJdlEOs6IftnFyojhqUk16X0BxIt6lx0c3j63bOG9aKWb5gXT+v qb/U+KSRVP1NaJzrUhkyk1YhSSQD4xbMSMKFg9591IyHGKSGEwVnSy/ao8T2mZ1o+0Pa4XgzAqcj N1lij5futahpcch2xnBkNTcd1HmtW4rmz3G9EQPtNmDATX/IfMedNt51RY9001SUvbgmneKJXONl qfzM4KfrHhvw7VA83lv8U5mt6uoUNnbOEgGxYRwp0jGoio91WSti8R8YEsx7VAg5G7Qnnov9AgMB AAGjXTBbMEsGA1UdEQREMEKBEGpicmFkbGV5QG1hYy5jb22BD2picmFkbGV5QG1lLmNvbYEOdmU3 anRiQG1hYy5jb22BDXZlN2p0YkBtZS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB gQAOGO9fnD8Fc3s4vnLVl/J1+YlEp7M2q6BQN/xdsqaYxH+j6+PHf3mkGk71AXyFDC0o0O6+jEtM 0MxZ1wI1u9oSmpERdzuWJX0V8Dmd0AHVWAOpgONj0z0tTngsfy6oTHv6lfqproqhHx5EdvL3OL6K 5KQngYsjn1EGdUjnjHj9pzCCBzcwggYfoAMCAQICAgDeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IElu dGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcNMDkwMzIwMTk1NjIyWhcNMTAwMzIwMTk1NjIyWjCBozEL MAkGA1UEBhMCQ0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl cjEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRUwEwYDVQQD EwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFkbGV5QG1hYy5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp4FL6v23T0f0pRJbhb9i+VnFIqM1HWlrTXuVPCho/vJ2Y mN0XI3yLQIxtbepSJ1k/+BlysAIC0XtzgY9/6jSzEwgcLWlVQA2EJLgczBMDYpEgGq7ksnYgieLk dY3Wa/ZDyQ34aC9fS/ZLNCtplnXJFKklyojar2hXZexSVDR/iJycwAP+jcW0GTanY5X5HQgasOJF g+wve3J/siM77fNgklLaIWQhGBjL56AjgCFat323oSqegcymW3ifn/GCjE9dFDxPhJPTfBWxNdt4 CZYQJO53xEuKq9Tqz2q+bVCU25d+qOcYPLhmCiTd6kWxM0/2u0gd0jfptinpz/7oZAUdAgMBAAGj ggOIMIIDhDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB BQUHAwQwHQYDVR0OBBYEFInfLf4tth8xkQAt3Z2NeBq+28BnMBsGA1UdEQQUMBKBEGpicmFkbGV5 QG1hYy5jb20wgagGA1UdIwSBoDCBnYAUrlWDb+wxyrn3HfqvazHzyB3jrLuhgYGkfzB9MQswCQYD VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHmCAQ4wggFHBgNVHSAEggE+MIIBOjCCATYGCysGAQQBgbU3AQIAMIIBJTAuBggrBgEFBQcC ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDov L3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBvAYIKwYBBQUHAgIwga8wFBYNU3Rh cnRDb20gTHRkLjADAgEBGoGWTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxl Z2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg UG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMG A1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwK6Ap oCeGJWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGB MH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MyL2NsaWVu dC9jYTBCBggrBgEFBQcwAoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNz Mi5jbGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkq hkiG9w0BAQUFAAOCAQEAqxkg6t2pWyE12tTDzRmvZGIcWfM+MrGobq0Uob+EhJ8ntYXECWcBPFk3 K2cwWI18sNLs7g/eJ1/DHwecTwfkMFPSTwVjFyKnowNUzFn/bcNWGEqrulOaPgOs80HYpkrBLBcp 1RuWSyM1qV/Oz3KajMFFwrYfpLrLltITRv1o5U3loYY5AEv5+n9eHXb5KsCX0zVEDlegVJO8yhUj e3EKoU+kl0UvSPMq6NokF2D455QNJAJJvAV3tf29wt1Z2x+ccsQJkToL4pd8D0igrt9iWgF3YcSj nVWQlrXQVEB1mCUxqldoC2XsCB2B6DDx+95Dzp3a/YDx7im1lppWEGMTxjCCB+IwggXKoAMCAQIC AQ4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0 YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NFoXDTEyMTAyMjIx MDI1NFowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFz cyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6G H0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2 acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoY SZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//Cs FnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCA1swggNXMAwGA1Ud EwQFMAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBqAYD VR0jBIGgMIGdgBROC+8apEBbpRdphzDKNGhD0EGu8qGBgaR/MH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBT aWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBATAJBgNV HRIEAjAAMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL3d3dy5zdGFydHNzbC5j b20vc2ZzY2EuY3J0MGAGA1UdHwRZMFcwLKAqoCiGJmh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9z ZnNjYS1jcmwuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwggFd BgNVHSAEggFUMIIBUDCCAUwGCysGAQQBgbU3AQEEMIIBOzAvBggrBgEFBQcCARYjaHR0cDovL2Nl cnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9pbnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBTdGFydCBDb21tZXJj aWFsIChTdGFydENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNl Y3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9s aWN5LnBkZjARBglghkgBhvhCAQEEBAMCAAcwUAYJYIZIAYb4QgENBEMWQVN0YXJ0Q29tIENsYXNz IDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgRnJlZSBTU0wgRW1haWwgQ2VydGlmaWNhdGVzMA0GCSqG SIb3DQEBBQUAA4ICAQAe9xAX/vbphHkvkDdNrslXWdO7fD3JaqnTT3jmmDu55r7UpW1H/v/J40UB Xsw9DKU8TylE4RwZT5HDAMW42f1x498AzM4FOnL/pUTTvr6BiRlrify5ZovkDYVWjy1GYTJ+hPiB Ev0HmHnDxjhnJIIkEvJ+niMHLLEdpNMhZnxMiTFRAtIF4WeYcpgXBjAxsEDRKBvw40K+r3N4lyky SQNp2ElIJ8H1z2BmhxtppUdWpOVJ4Q1Gvn9jfV1qnMhFCDY+X1X8DrkKrTcpDExcGlefweQs7+DY UK3spiQkJpN7qpPYlfy2GYHedv7lGa1ZAghMI/4882QVAK2zq6M60nHpOUMtYD61XtAs3ZD5L3yn 9LCdeK2j4ZbQ3uRdwvxAMFWwXyUK/ALP4lCu9QhxbnETOkBWT3FJul4/FUgzM0RRCEGhuQWiOFSo a35XJTcYf/4E/ZuvOXhK04nUpe7DYTMWzRqL04yyoJQVHKHKSboytueydKuqFZKdJA9gi77OnPBY L/yxkXGgkLC9tsi77oT4AgZry0/6lgX56ak+f/umQihNPgtKSQQjEYq9S8MlOHzpUM0vxsghATYs dUPBw6r6ZxDHjXoUAD03DUMEbKsWvqFB7nJNVesngbu8miw1EYLA+fHfTaCidoV3CL75jKqM/KE8 7qrh9Fqti9bKqnkvpTGCAy4wggMqAgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EC AgDeMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTA5MTIwNzEzNTY1OFowIwYJKoZIhvcNAQkEMRYEFJVWpnDETOgsBpH+Yzf6WV6+TJQVMIGF BgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIQHfePmyGL4rkmkMP6lP8ljzCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUw IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHfePmyGL4rkmkMP6lP8ljzANBgkqhkiG9w0BAQEF AASCAQAi0FstEEUHVsEALdPFdmSrtTMOhJTDjXF3nMmpoPvIYSmPRGlUg/kosliqpZSlNxocUpHQ rmnMjSR5jEqpo7l5k/Iycs7iBmw76+D9Z56dKlN4M4z9IqhOFdVs44SXcC67T6UMGW8CbY1CFQCO Fax7LWwSEExL3dLGGZkFTMgwUYeGEVq5wBkY8hMvOBJdBOpn4dSZXSsmTSZRzXLpMVzv5dR6PGuD gk9K+dEWmH+IIb6CmrAxG6vbq0Kjf3gGLSQ+o9/OIggYFDaRBPATm35dooC4EZuh8x31a7oxvO3A naQoFE/o2w0p/dw42egqQx8NAgpV2qEQ4NnvaID6ynnQAAAAAAAA --Apple-Mail-1113-566660407--
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]