'Re: Decryption config'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-dev
Subject:    Re: Decryption config
From:       Brent Putman <putmanb () georgetown ! edu>
Date:       2014-05-29 21:19:50
Message-ID: 5387A476.3060400 () georgetown ! edu
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 5/29/14 4:44 PM, Cantor, Scott wrote:
> Only if I reuse an existing setting, otherwise there's no way to no what
> key to use. If I add a setting to specify the encryption key, that would
> have to be set, and no existing config has it, so you wouldn't get t	he
> support.

Oh, I see.  You meant an actual legacy config (an actual existing file),
not someone who just wanted to use the legacy config generally and
possibly add the decryption cred if they needed.

So I'd personally still say then either not support it at all, or add a
new attribute for the decryption cred.

Also, not to point out the obvious, but reusing the signing cred ref
doesn't necessarily work at a technical level.  It obviously does happen
to work if it's an RSA key (presumably the 99%+ case today for existing
configs), but if/when people start moving to EC and start signing that
way, that would break. (At least until we start supporting the ECDH
stuff, and I'm not sure about the particulars, still need to fully grok
that).



[Attachment #5 (text/html)]

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <div class="moz-cite-prefix">On 5/29/14 4:44 PM, Cantor, Scott
      wrote:<br>
    </div>
    <blockquote cite="mid:CFAD1433.DB32%25cantor.2@osu.edu" type="cite">
      <pre wrap="">
Only if I reuse an existing setting, otherwise there's no way to no what
key to use. If I add a setting to specify the encryption key, that would
have to be set, and no existing config has it, so you wouldn't get t	he
support.</pre>
    </blockquote>
    <br>
    Oh, I see.&nbsp; You meant an actual legacy config (an actual existing
    file), not someone who just wanted to use the legacy config
    generally and possibly add the decryption cred if they needed.<br>
    <br>
    So I'd personally still say then either not support it at all, or
    add a new attribute for the decryption cred.<br>
    <br>
    Also, not to point out the obvious, but reusing the signing cred ref
    doesn't necessarily work at a technical level.&nbsp; It obviously does
    happen to work if it's an RSA key (presumably the 99%+ case today
    for existing configs), but if/when people start moving to EC and
    start signing that way, that would break. (At least until we start
    supporting the ECDH stuff, and I'm not sure about the particulars,
    still need to fully grok that).<br>
    <br>
    <br>
  </body>
</html>


--
To unsubscribe from this list send an email to dev-unsubscribe@shibboleth.net

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic