[Openid-specs-ab] Key Management challenges with OpenID Connect Federation 1.0 - draft 00
Nick Roy
nroy at internet2.edu
Mon Aug 1 18:53:38 UTC 2016
Thanks - I cross-posted and cc:ed you.
On 8/1/16, 12:22 PM, "Mike Schwartz" <mike at gluu.org> wrote:
yes, sure.
On 2016-08-01 11:23, Nick Roy wrote:
> Thanks Mike - do you mind if I pass this along to REFEDS' OIDC list to
> see if others there share this concern?
>
> Thanks,
>
> Nick
>
> On 7/27/16, 8:59 PM, "Mike Schwartz" <mike at gluu.org> wrote:
>
> Nick,
>
> Thanks for the feedback!
>
> > When I talked about how to enforce change management and policy
> > changes in a federation, in this model, with Roland, he said that
> is
> > down to shortening the TTL on the certificates.
>
> I'm not sure to which certificates you are referring. When I
> discussed
> the
> pre-draft with Roland at IIW, he indicated that his belief was that
> federation signing keys need to be updated rarely or never.
>
> > As far as an org doing key management goes,
> > yep, that's a concern, but maybe part of the eventual
> implementation
> > of this draft would be a set of tools to help the parties manage
> their
> > keys?
>
> There are many tools already for key management. The existence of
> these
> tools
> has not alleviated the problem. Organizations have trouble managing
> SSL
> keys.
> What makes me think twice about this proposed solution is that we
> are
> putting
> the burden of key management on a "developer" and an "Relying Party
> Admin."
>
> > While I'm at it - does anyone think that HSMs might be necessary
> to
> > securely implement this topology?
>
> Yes, I do... and I seriously doubt many RP's or OP's will be able
> to
> support it. Here at Gluu, we implemented an open source HSM
> gateway:
> https://github.com/GluuFederation/oxEleven
> and then we updated our OP to use local key storage, or to call the
> gateway.
> It was a lot of work... I seriously doubt that dev's or RP admins
> will
> bother.
>
> - Mike
More information about the Openid-specs-ab
mailing list