technical-discuss - Re: [InC-Technical] Dual use versus separate keys for signing and encryption
Subject: InCommon Technical Discussions
List archive
- From: "Cantor, Scott" <>
- To: Nick Roy <>, "" <>
- Subject: Re: [InC-Technical] Dual use versus separate keys for signing and encryption
- Date: Fri, 6 Sep 2019 19:42:24 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=osu.edu; dmarc=pass action=none header.from=osu.edu; dkim=pass header.d=osu.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uP4/AqSenwM+DehleQ8gNCapy9loZtWhQyRGj5/PsmQ=; b=hL8mFB3SMLD477LQKndyPE7KtcGkkQUMfD5Sd0qFZI9ByqMD0Uu0KKcab4LERRHTxMuFPkXsGUIAlY1J7T4Dh1N9i7SWLD41VG3aUy7/IxqmRlb5jDrv9l0XWWzwm+0+Bb797/wdbmp2RN5s982QT+0RBX0RtxwCjVZcmw8eFS1Bi0QIsYp1egyEMibHak2nXEoKlBe+Wmmw7bAOipWCjTOYWAhfZYu+/ct+cZUGX4r+fFczO1thI+8tXT7/sUnJBu39+u6w+e4EH7UWIkvzneQATOY/KY7dXzv501vU3zolF/MAAKoxw/jew2QbPUyzcLR7qvJeAHMKJ883jhbRKg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dnq7/82aMw/OH98vMGcJQt6ysdTB5fvKiqTTUBXAXx2p1OCCSVTaxKDomqyI1MOd9tpM6Hg5krh6HxSUPG9BZgYw0r9OF4/8veFwGwQBSomW42rg2U++/Ubd/VlgEpixWLUU546369PV6adJfuppm52ElDSsYORS/6X1Jr42dSBwtcP57YxuLaiXE4ae+x65nFeqc24LEAdBXA3vJhluZjxijjKSReMbt3JObRmUByf00pCUP2ngY6LsK7/TorCLpTyCShI7Yy75bd7aJ+94r3mtIKFjXIY19CVRelmFaQX+T6Ghaw3hpSmiPxl4V4IrFe1KZXnJh8uWtTgYXrPqEQ==
On 9/6/19, 1:47 PM, "Nick Roy" < on
behalf of > wrote:
> Please let me know if you have thoughts about what we should be doing with
> regards to allowing people to specify
> separate key uses/upload multiple keys at once/etc.
I would imagine that in most cases, you want to default an IdP to have one or
more signing keys, and leave encryption as an after-step, so I wouldn't
default to dual use.
The SP is really just variable. Obviously Shibboleth generates separate keys
now, but honestly what you really want to do depends on logout support, and I
think if you're looking for a good default, it would be to encourage
non-logout supporting SPs to only support encryption and default to that with
no signing key. That prevents bad decisions from working without extra
hassle, and people making bad choices don't spend extra time making things
work. We don't want signing, so don't support it.
If logout is included, it just depends on the implementation and deployment,
there's no single answer really. Lots of them are going to be one or the
other and I think you have to ask, and not assume.
-- Scott
- [InC-Technical] Dual use versus separate keys for signing and encryption, Nick Roy, 09/06/2019
- RE: [InC-Technical] Dual use versus separate keys for signing and encryption, Wessel, Keith, 09/06/2019
- <Possible follow-up(s)>
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Cantor, Scott, 09/06/2019
- Re: [InC-Technical] Dual use versus separate keys for signing and encryption, Scott Koranda, 09/06/2019
Archive powered by MHonArc 2.6.19.