When I put out the passive STS it was as a preview so we could work out these issues. Pablo suggested encrypting the tokens and I didn't see any dissenting discussions. My vote would be to encrypt the token unless there is a stack that cannot encrypt the token.
Scott -----Original Message----- From: Pablo Cibraro [mailto:[email protected]] Sent: Wednesday, October 21, 2009 6:51 AM To: [email protected]; [email protected] Subject: RE: Token returned by the .Net passive STS That's a good question. I made the same question before in the list like two weeks ago. The specification does not mention anywhere that the token should encrypted. However, encrypting the token for the Relying party is a security good practice (For confidentiality purposes). For that reason, I decided to encrypt it in .NET, and I am not sure how the rest of the implementations are doing. Can that be done in WSO2 identity server ?. I am using these certificates, Token signature => BSL.Com Token encryption => Trade.Com Regards, Pablo. -----Original Message----- From: Chintana Wilamuna [mailto:[email protected]] Sent: Wednesday, October 21, 2009 4:04 AM To: [email protected] Subject: Token returned by the .Net passive STS Hi, The token that .Net passive STS sends has the claims encrypted. Earlier I could see the claims in clear text but in the new implementation they're seems to be encrypted. Is that the desired behaviour? Right now WSO2 Identity Server doesn't encrypt the claims in the token. Should it be changed to encrypt those? Bye, -Chintana -- http://engwar.com
