Hi Asela, On Thu, Apr 20, 2017 at 7:02 PM Asela Pathberiya <[email protected]> wrote:
> On Thu, Apr 20, 2017 at 6:46 PM, Johann Nallathamby <[email protected]> > wrote: > >> >> >> On Thu, Apr 20, 2017 at 3:27 PM, Asela Pathberiya <[email protected]> wrote: >> >>> >>> >>> On Tue, Apr 18, 2017 at 11:51 AM, Asela Pathberiya <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Mon, Apr 17, 2017 at 12:00 PM, Godwin Shrimal <[email protected]> >>>> wrote: >>>> >>>>> +1 to have separate keystores for secure vault & token signing. Any >>>>> reason/use case to have separate kesytores for each token signing ? Will >>>>> it >>>>> not add more overhead on deployment and maintenance ? With the custom >>>>> inbound authenticator feature you can plug your own inbound authenticator >>>>> and then we have to think which token signing keystore we use ? >>>>> >>>> >>>> Usually one private key is enough for token signing. But; if SP/IDP >>>> restricts to use a privatekey which is signed by a given CA (custom CA), >>>> we may need to configure more keystores.. >>>> >>>> >>>>> >>>>> >>>>> Thanks >>>>> Godwin >>>>> >>>>> On Wed, Apr 12, 2017 at 5:58 PM, Asela Pathberiya <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> According to the current design; KeyStore which is defined in the >>>>>> carbon.xml file is used for both secure vault & token signing >>>>>> (SAML/id_token) which is not a good design. We need to keep that >>>>>> separate >>>>>> keystore for secure vault as it can not be modified. >>>>>> >>>>>> Also; To add more flexibility; it is better to have separate >>>>>> keystore for each token signing. I know we can extend & achieve this, >>>>>> but >>>>>> default implementation would be great. >>>>>> >>>>>> Shall we add this to next WSO2IS release as this is a simple >>>>>> improvement ? >>>>>> >>>>> >>> Can someone confirm whether this is in WSO2IS road map ? >>> >> >> Are you referring to private key per SP or private key per inbound >> protocol? >> > > Actually for now it is better to have separate keys for data encryption & > all token signing regardless of the protocol > Using a different key for data encryption is something we have already discussed and implemented with kernel 4.4.3. Refer the thread [1]. IMO what we are missing here is utilizing that capability in the secure vault implementation. [1] [Architecture] [IS] Move to symmetric data encryption from asymmetric encryption Thanks, > > >> BTW, Shariq is implementing externalizing the siging and encryption part >> [1]. Private key per SP would be a extended implementation of this. I am >> not sure if we need private key per inbound protocol. If needed we can >> again extend the implementation. >> > >> [1] https://redmine.wso2.com/issues/2156 >> >> Regards, >> Johann. >> >> >>> >>>> >>>>>> Thanks, >>>>>> Asela. >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Asela >>>>>> >>>>>> ATL >>>>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>>>> +358 449 228 979 >>>>>> >>>>>> http://soasecurity.org/ >>>>>> http://xacmlinfo.org/ >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Godwin Amila Shrimal* >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: *+94772264165* >>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>> twitter: https://twitter.com/godwinamila >>>>> <http://wso2.com/signature> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> ATL >>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>> +358 449 228 979 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Asela >>> >>> ATL >>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>> +358 449 228 979 >>> >>> http://soasecurity.org/ >>> http://xacmlinfo.org/ >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
