[cryptography] Client certificate crypto with a twist

Joe St Sauver joe at oregon.uoregon.edu
Thu Oct 11 11:23:24 EDT 2012


[This is kind of drifting from the list charter, so I'd invite folks who
may be interested to drop me a note offline, but just in case others are
curious, one pass at the questions raised below...]

#On Wed, Oct 10, 2012 at 4:34 PM, Joe St Sauver <joe at oregon.uoregon.edu> wrote:
#> The nice part about Shib, from a privacy POV, is that you only release/get
#> the attributes that may be necessary (thereby preserving user privacy).
#A rather optimistic view of federated identity...
#a) Who determines what is "necessary" and how?

Attribute release policies and relying party requirements jointly determine 
negotiation of released attributes. You can see some examples of attribute 
release policies at:

-- https://wiki.brown.edu/confluence/display/CISDOC/Shibboleth+Attribute+Release+Policies+and+Best+Practices
-- http://www.ucs.cam.ac.uk/raven/attribute-policy
-- http://www.itcs.umich.edu/itcsdocs/r1465/
-- http://www.upenn.edu/computing/weblogin/shibboleth/attribute.html
-- http://technology.pitt.edu/research-computing/rc-incommon-shibboleth/attributes.html
-- http://www.protectnetwork.org/support/policies/attribute-release-policy
-- http://itservices.stanford.edu/service/shibboleth/arp

But what about the other side of the equation, the service providers? 

Service providers who are relying on federated auth request certain attributes. 
If those are released to the provider, authentication proceeds. If the identity
provider elects not to release those attributes, it doesn't. 

You can see an example of what one relying party requires at:


#b) How do you prevent collusion between SPs or SPs and IdPs?

Identity Providers and Relying Parties ALWAYS *collaborate* with each other,
that's what make federation work. That said, identity providers take their 
privacy obligations very seriously, and tend to be scrupulously careful about
following their articulated attribute release policies, in some cases as a 
matter of personal integrity, in other cases because there are or may be 
legal consequencies for any privacy violations.

Relying parties tend to avoid requesting more attributes than they need
because the more they ask for, the greater the likelihood that they'll
experience pushback, or find that IDPs simply won't release what they're

Hope this addresses at least some of your questions, and feel free to 
contact me off list if you have others I can help with.



More information about the cryptography mailing list