technical-discuss - RE: [InC-Technical] Dual use versus separate keys for signing and encryption
Subject: InCommon Technical Discussions
List archive
- From: "Wessel, Keith" <>
- To: "" <>
- Subject: RE: [InC-Technical] Dual use versus separate keys for signing and encryption
- Date: Fri, 6 Sep 2019 19:05:22 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=illinois.edu; dmarc=pass action=none header.from=illinois.edu; dkim=pass header.d=illinois.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8GPfkjclDrZfYb1c0Ac606aDwJQ52zBFVXU71b4qD7s=; b=ZCTo4OKcY9XDkBbkSqVNFz7lTbB894/lgUS+mNHriJK/Frbq57eM/15xC83oz4ZQYHvCV2DKNpwct1fahadMyeSSxWI3r/xi/P9x2FcYnV7bxLxE0nmLuD5v/7CLYGLoTN0L5YonMdQAL2eUekAIYIR9iAOOGP0hnLpgLof255tIToI5iApCA0AABlN7URUJY4c3p+wBtFerzdwMgbrxF99BkvkShZ6wcEdRrkhxymkavJDvWyjvgMVE6AZSc9YL2JFLnsnqy0X2tt4ilvoZnHOxAVGJXXk6n2mKaAWs6XjJixxdu2Y5S+Ul5lndI1tIdlISOVvcLnlt5AjoHzh1hg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eVKpOIzI3y0iWgsvzaHh0LhtR1GEVnELO3Z6MwyOTQQi0h57E0RssLl8D9CCa7FeQAE+q7u/RRiMlgBt4ohnE4fA3xdWZLIJSkXF2lEPwOG6gJv8J/i1IyokqYNbvrKEvKGu0CIJ9GhcekPQLndHkx2E5GsJB1l4Enad9eXc4XrWJGkWAf/rUsRJoJwREqojhfz1+qa+sEDGebbs7VOzzCIi/fuebQ9/KHQCldb4WB31jKgt8tZxyDf8YETFCOuKmQhnDsaMuijRvQfyaNtEzKWnCumkABpIXRmIYxZhZu9Oh6KEnKQigfj3xqtf71WtKk76SjMJT34waynwUhVSSw==
|
IMHO, separate certs for signing and encryption is not only a good idea, but it’s going to become more popular now that we have improved support for it in the Shibboleth IdP and SP.
The AAF’s federation registry allows just one on registration, but once registered, you can upload a new one and use checkboxes to indicate signing and/or encryption. This is similar to what InCommon has today, of course. It’s an extra step, though, and it’s confusing.
Best usability experience, I think, would be two radio buttons: “Use the same certificate for signing and encryption” and “Use different certificates for signing and encryption”. Then, through the miracles of fancy web design, either one or two boxes would be made available to copy certs into. Bonus points for an option to browse and upload the cert from the client’s computer.
Of course, encryption certificates for the IdP are rather silly. An authn request or logout request serves no purpose being encrypted by the SP. I can see some edge cases where and IdP might want to publish an encryption cert for those purposes, but I’m at a loss to understand what the use case would be.
For the SP, though, this is a big deal or soon will be and, from a security standpoint, should be encouraged.
Keith
From: <>
On Behalf Of Nick Roy
Hi all, This is the start of that thread I mentioned on the participants list, regarding your preferences for ability to select SAML key use in the Federation Manager. Please let me know if you have thoughts about what we should be doing with regards to allowing people to specify separate key uses/upload multiple keys at once/etc. Thank you, Nick |
- [InC-Technical] Dual use versus separate keys for signing and encryption, Nick Roy, 09/06/2019
- RE: [InC-Technical] Dual use versus separate keys for signing and encryption, Wessel, Keith, 09/06/2019
- <Possible follow-up(s)>
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
Archive powered by MHonArc 2.6.19.