[cas-dev] the upcoming (but not too soon CAS4) and the CAS clients
Scott Battaglia
scott.battaglia at gmail.com
Mon Oct 20 21:06:49 EDT 2008
The CAS server itself may need to support the sharing of keys such that it
can support the profiles used in the federations.
However, local CAS clients may not need that complexity, and we may wish to
come up with an alternate method to ease that. Either way, our CAS server
management tools should be robust to make this as painless as possible.
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Mon, Oct 20, 2008 at 3:40 PM, Eric Pierce <epierce at usf.edu> wrote:
> On Mon, Oct 20, 2008 at 9:41 AM, Scott Battaglia <
> scott.battaglia at gmail.com> wrote:
>
>>
>>
>> I'd prefer to use RESTful APIs vs. SOAP APIs if possible, and as stated
>> before would like to look for some method sharing keys that doesn't require
>> explicit key exchanges and updates on servers. Any thoughts on that would
>> be appreciated.
>>
>
> The real problem with key exchange in Shib is the sheer number of public
> keys you have to keep up with -- you've got one (or more) IdPs and multiple
> SPs per institution in your federation and any of them could change public
> keys at any time. We don't have that complexity in CAS (since we're only
> dealing with one IdP) and we can make it much easier to administer by
> leveraging the Services Management webapp. Each CAS-client only needs to
> know about one IdP, so shared-secrets are much easier than with Shib. We
> could generate a long random string in the webapp that just needs to be
> copy-and-pasted into the CAS-client's config for shared-secret signing.
>
> Another option is using a public/private key pair to identify the
> cas-client -- either generating the pair on the CAS server using the Service
> Management webapp as a frontend or accepting a public key that is supplied
> by the user. We used to use a mail server called CommuniGate that handled
> certs for SMTPS/IMAPS/POPS this way and it was very easy to work with. You
> can see what their key/cert management interface looked like here:
> http://www.communigate.com/CommuniGatePro/PKI.html#CertGen
>
>
> -Eric
>
> --
> Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 --
> epierce at usf.edu
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20081020/a7983bb3/attachment.html
More information about the cas-dev
mailing list