On Thu, Apr 20, 2017 at 6:46 PM, Johann Nallathamby <[email protected]> wrote:
> > > On Thu, Apr 20, 2017 at 3:27 PM, Asela Pathberiya <[email protected]> wrote: > >> >> >> On Tue, Apr 18, 2017 at 11:51 AM, Asela Pathberiya <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Apr 17, 2017 at 12:00 PM, Godwin Shrimal <[email protected]> >>> wrote: >>> >>>> +1 to have separate keystores for secure vault & token signing. Any >>>> reason/use case to have separate kesytores for each token signing ? Will it >>>> not add more overhead on deployment and maintenance ? With the custom >>>> inbound authenticator feature you can plug your own inbound authenticator >>>> and then we have to think which token signing keystore we use ? >>>> >>> >>> Usually one private key is enough for token signing. But; if SP/IDP >>> restricts to use a privatekey which is signed by a given CA (custom CA), >>> we may need to configure more keystores.. >>> >>> >>>> >>>> >>>> Thanks >>>> Godwin >>>> >>>> On Wed, Apr 12, 2017 at 5:58 PM, Asela Pathberiya <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> According to the current design; KeyStore which is defined in the >>>>> carbon.xml file is used for both secure vault & token signing >>>>> (SAML/id_token) which is not a good design. We need to keep that separate >>>>> keystore for secure vault as it can not be modified. >>>>> >>>>> Also; To add more flexibility; it is better to have separate keystore >>>>> for each token signing. I know we can extend & achieve this, but default >>>>> implementation would be great. >>>>> >>>>> Shall we add this to next WSO2IS release as this is a simple >>>>> improvement ? >>>>> >>>> >> Can someone confirm whether this is in WSO2IS road map ? >> > > Are you referring to private key per SP or private key per inbound > protocol? > Actually for now it is better to have separate keys for data encryption & all token signing regardless of the protocol > BTW, Shariq is implementing externalizing the siging and encryption part > [1]. Private key per SP would be a extended implementation of this. I am > not sure if we need private key per inbound protocol. If needed we can > again extend the implementation. > > [1] https://redmine.wso2.com/issues/2156 > > Regards, > Johann. > > >> >>> >>>>> Thanks, >>>>> Asela. >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Asela >>>>> >>>>> ATL >>>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>>> +358 449 228 979 >>>>> >>>>> http://soasecurity.org/ >>>>> http://xacmlinfo.org/ >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>> twitter: https://twitter.com/godwinamila >>>> <http://wso2.com/signature> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Asela >>> >>> ATL >>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>> +358 449 228 979 >>> >>> http://soasecurity.org/ >>> http://xacmlinfo.org/ >>> >> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 <+94%2077%20762%205933> >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
