[cas-dev] the upcoming (but not too soon CAS4) and the CAS clients
Eric Pierce
epierce at usf.edu
Mon Oct 20 15:40:56 EDT 2008
On Mon, Oct 20, 2008 at 9:41 AM, Scott Battaglia
<scott.battaglia at gmail.com>wrote:
>
>
> I'd prefer to use RESTful APIs vs. SOAP APIs if possible, and as stated
> before would like to look for some method sharing keys that doesn't require
> explicit key exchanges and updates on servers. Any thoughts on that would
> be appreciated.
>
The real problem with key exchange in Shib is the sheer number of public
keys you have to keep up with -- you've got one (or more) IdPs and multiple
SPs per institution in your federation and any of them could change public
keys at any time. We don't have that complexity in CAS (since we're only
dealing with one IdP) and we can make it much easier to administer by
leveraging the Services Management webapp. Each CAS-client only needs to
know about one IdP, so shared-secrets are much easier than with Shib. We
could generate a long random string in the webapp that just needs to be
copy-and-pasted into the CAS-client's config for shared-secret signing.
Another option is using a public/private key pair to identify the cas-client
-- either generating the pair on the CAS server using the Service Management
webapp as a frontend or accepting a public key that is supplied by the
user. We used to use a mail server called CommuniGate that handled certs
for SMTPS/IMAPS/POPS this way and it was very easy to work with. You can
see what their key/cert management interface looked like here:
http://www.communigate.com/CommuniGatePro/PKI.html#CertGen
-Eric
--
Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 --
epierce at usf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20081020/eecf69aa/attachment.html
More information about the cas-dev
mailing list