Scott wrote:
> Sam wrote:
> > There's another way though. The IDP and RADIUS server
> already share a
> > secret. Use that key and a secure key derivation function (NIST SP
> > 800-56?) to construct the key. That way you don't actually need to
> > spend any bytes on key transport.
>
> Right, that makes sense.
Sorry, just catching up on this thread. Sam, I think your proposal makes
sense. While this approach (as Scott alluded to earlier) restricts the
ability for the SP to make subsequent requests after the token has
expired, I think this is acceptable.
I'm not quite sure where we write this up. I'm inclined to put it in the
EAP GSS Profile spec, and profile its use within that as a deployment
option so as not to preclude the use of other trust management
approaches.
josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
|