[Openid-specs-ab] Key Management challenges with OpenID Connect Federation 1.0 - draft 00

Nick Roy nroy at internet2.edu
Wed Jul 27 19:06:39 UTC 2016 

When I talked about how to enforce change management and policy changes in a federation, in this model, with Roland, he said that is down to shortening the TTL on the certificates.  So, I think that may be the answer to the key lifetime part of your concern.  I have to admit, I haven't read the draft in a couple months, so I could be wrong/mis-remembering.  As far as an org doing key management goes, yep, that's a concern, but maybe part of the eventual implementation of this draft would be a set of tools to help the parties manage their keys?

While I'm at it - does anyone think that HSMs might be necessary to securely implement this topology?

Nick

On 7/26/16, 8:25 PM, "Openid-specs-ab on behalf of Mike Schwartz via Openid-specs-ab" <openid-specs-ab-bounces at lists.openid.net on behalf of openid-specs-ab at lists.openid.net> wrote:

    OpenID Connect gurus:
    
    I have many comments on the "OpenID Connect Federation 1.0 - draft 00", 
    but I'll start at this design question: Is this proposed trust model too 
    complicated?
    
    Although key management is a well defined domain, in practice 
    organizations have significant challenges managing keys. There are a lot 
    of keys sprinkled around the organization, in a lot of formats.
    
    If I am reading this proposal correctly, it suggests adding three long 
    lived keys: one each for the developer, RP and OP.
    
    1) Is this really a good idea?
    
    2) OpenID Connect key rotation is frequent. But the suggestion here is 
    that the federation keys would be infrequently / never updated. Why the 
    dichotomy? Inevitably when key rotation is required, what is the impact?
    
    - Mike Schwartz
    
    PS: There are many distracting typos. Is there a place to submit pull 
    requests so I don't waste time posting spelling corrections on the list?
    
    
    -------------------------------------
    Michael Schwartz
    Gluu
    http://gluu.org
    _______________________________________________
    Openid-specs-ab mailing list
    Openid-specs-ab at lists.openid.net
    http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list