[Openid-specs-ab] Key Management challenges with OpenID Connect Federation 1.0 - draft 00
Mike Schwartz
mike at gluu.org
Thu Jul 28 02:59:54 UTC 2016
Nick,
Thanks for the feedback!
> When I talked about how to enforce change management and policy
> changes in a federation, in this model, with Roland, he said that is
> down to shortening the TTL on the certificates.
I'm not sure to which certificates you are referring. When I discussed
the
pre-draft with Roland at IIW, he indicated that his belief was that
federation signing keys need to be updated rarely or never.
> As far as an org doing key management goes,
> yep, that's a concern, but maybe part of the eventual implementation
> of this draft would be a set of tools to help the parties manage their
> keys?
There are many tools already for key management. The existence of these
tools
has not alleviated the problem. Organizations have trouble managing SSL
keys.
What makes me think twice about this proposed solution is that we are
putting
the burden of key management on a "developer" and an "Relying Party
Admin."
> While I'm at it - does anyone think that HSMs might be necessary to
> securely implement this topology?
Yes, I do... and I seriously doubt many RP's or OP's will be able to
support it. Here at Gluu, we implemented an open source HSM gateway:
https://github.com/GluuFederation/oxEleven
and then we updated our OP to use local key storage, or to call the
gateway.
It was a lot of work... I seriously doubt that dev's or RP admins will
bother.
- Mike
More information about the Openid-specs-ab
mailing list