IdP metadata based on multiple signing certificates

[Ian Young]

On 14 Aug 2012, at 08:29, Dennis Wagelaar <dennis.wagelaar at healthconnect.be> wrote:

> Thanks for the answer! It is clear that there's (much) more to it than just having the certificates signed by a single root cert. There's also the issue of compromised private keys on the "personal" IdP; anyone who can gain access to the PC with the IdP on it, can get to the key. Having multiple IdP certificates is a start, but certainly does not solve the problem by itself...

Given that you're also talking about "multiple signing certificates" for (presumably) a single logical SAML entity in metadata that's implemented my multiple "personal" physical IdPs, it's also worth noting that in that situation the SP doesn't make any of this detail visible to the application.  They are all the same IdP as far as it's concerned, which means a compromise of any of those credentials compromises the whole system.

I suppose you could hack round that by having your application look at the raw assertion after the SP has validated it, but you'd be kind of piling up complexity there and I don't think anyone would recommend that route.  The more conventional approach would be to have each of those personal IdPs represented by its own SAML entity, with its own key.  A compromised personal IdP can't impersonate anyone else if you do that, and the whole rationale for looking at the PKIX trust model also disappears.

	-- Ian



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120814/883a6010/attachment-0001.bin