[Openid-specs-ab] Key Management challenges with OpenID Connect Federation 1.0 - draft 00

Mon Aug 1 16:23:02 UTC 2016

Thanks Mike - do you mind if I pass this along to REFEDS' OIDC list to see if others there share this concern?

Thanks,

Nick

On 7/27/16, 8:59 PM, "Mike Schwartz" <mike at gluu.org> wrote:

    Nick,

    Thanks for the feedback!

    > When I talked about how to enforce change management and policy
    > changes in a federation, in this model, with Roland, he said that is
    > down to shortening the TTL on the certificates.

    I'm not sure to which certificates you are referring. When I discussed 
    the
    pre-draft with Roland at IIW, he indicated that his belief was that
    federation signing keys need to be updated rarely or never.

    > As far as an org doing key management goes,
    > yep, that's a concern, but maybe part of the eventual implementation
    > of this draft would be a set of tools to help the parties manage their
    > keys?

    There are many tools already for key management. The existence of these 
    tools
    has not alleviated the problem. Organizations have trouble managing SSL 
    keys.
    What makes me think twice about this proposed solution is that we are 
    putting
    the burden of key management on a "developer" and an "Relying Party 
    Admin."

    > While I'm at it - does anyone think that HSMs might be necessary to
    > securely implement this topology?

    Yes, I do... and I seriously doubt many RP's or OP's will be able to
    support it. Here at Gluu, we implemented an open source HSM gateway:
       https://github.com/GluuFederation/oxEleven
    and then we updated our OP to use local key storage, or to call the 
    gateway.
    It was a lot of work... I seriously doubt that dev's or RP admins will 
    bother.

    - Mike