OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Third-party AuthnRequest use case

Ok, I see what you're suggesting: an IdP could accept additional third 
party keys, besides those described in an SP's metadata, to validate 
signatures on AuthnRequests issued on an SP's behalf. That's certainly 
one solution, and one that doesn't require any protocol changes. I 
think I'd be happier if the third party was explicitly identified in 
the request, say as the issuer, and there was some other place to 
identify the target SP, but would require a protocol change...


On Jun 7, 2005, at 11:30 PM, Scott Cantor wrote:

>> I'm probably just confused, but what I thought you were suggesting was
>> that the portal would be trusted with the signing key of the SP, which
>> I wouldn't expect if the portal lives in a separate organization.
> No, I'd use a different phrasing...the portal might be trusted with a 
> key
> that is authorized by an IdP to sign particular messages (say, an
> AuthnRequest) as the SP. That doesn't mean the portal has the SP's 
> key. It
> just means that the portal's key is authorized (probably by only one 
> IdP) to
> sign for the SP in some constrained way.
> As I said, I can't speak for others, but our implementation seperates 
> (or at
> least can separate) the keys an entity can use from the entity's 
> "identity".
> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]