1. Home
  2. Lainnya

Retrieval of Encryption Public Key

OGC 07-118r9 24 Copyright © 2014 Open Geospatial Consortium 4. The message is then built. The rationale of step 2 is that the SAML token is encrypted for a specific target Service Provider. Only the PEP of the targeted SP service is able to decrypt the SAML token, through its private key. The criterion used by the STS to choose the right public key will be described in the next subsection 6.4.1.1. An example of encrypted SAML token is given in Figure 11.

6.4.1.1 Retrieval of Encryption Public Key

The STS shall encrypt the token using the Relying Party’s public key. This constraint is caused by the public-key encryption of SAML token, which entails that only one defined entity is able to decrypt the delivered SAML token the one that owns the private key associated to the encrypting public key. In order to afford multiple Relying Parties, the STS shall be able to encrypt the SAML token with one selected public key, chosen among a set of multiple registered public keys. The target Relying Party is known by the Client of the STS: it is the SP entity to which a service request shall be addressed. This information should be conveyed, from STS Client to STS, on the optional AppliesTo element of the RST, which contains a wsa:Address see Annex B as illustrated below. ?xml version=1.0 encoding=UTF-8? wst:RequestSecurityToken … … wsp:AppliesTo wsa:EndpointReference wsa:Address urn:ceos:def:epr:esa-cds:1.0:cat-dail-ope wsa:Address wsa:EndpointReference wsp:AppliesTo … wst:RequestSecurityToken The STS shall use a keystore containing at least one default public key and an unlimited set of public keys associated the wsa:Address of each Relying Party. The rule used by the STS to choose the public key is then based on the AppliesTo element of the received RST: ฀ if the AppliesTo element is absent, then the public key used for encryption shall be the default public key registered on the STS; ฀ if the AppliesTo element is present, then the public key used for encryption shall be the public key of the specific relying party associated to the wsa:Address specified in the AppliesTo element 5 ; if the wsa:Address is unknown from STS then the RST fails and a fault shall be reported to the requester see 7.1.1.3 or 7.1.2.3. 5 The public key of a Relying Party PEP should be distributed together with an identifier, equal to what is used for the wsa:Address value in the AppliesTo element e.g. urn:ceos:def:epr:esa-cds:1.0:cat-dail-ope. This will facilitate the STS configuration, e.g. using the identifier as the alias name in the keystore to retrieve the public key. OGC 07-118r9 25 Copyright © 2014 Open Geospatial Consortium Note that the STS implementation could leave out the treatment of AppliesTo element but, then, it is recommended that STS reports a fault to the requester if the AppliesTo element is present instead of silently ignoring this element. The following figure illustrates the various keystores with their keys for the scenario described later in section 6.4.3.3. Figure 4: Example of Keys and Keystores

6.4.2 Signature Message Digest

Dokumen yang terkait

GML 3.1.1 Application schema for Earth Observation products

0 0 94

OGC® Web Services Facade for OGC IP Engineering Report

0 0 12

OGC® Web Coverage Service 2.0 Interface Standard - Earth Observation Application ProfileWCS EO

0 0 79

OGC Service for Earth Observation Products Best Practice

0 0 71

OGC RESTful encoding of OGC Sensor Planning Service for Earth Observation satellite Taskingrest-sps-for-eo-tasking

0 0 117

OGC RESTful Encoding of Ordering Services Framework For Earth Observation Products

0 0 243

User Management for Earth Observation Services

0 0 83

OGC® Catalogue Services Standard 2.0 Extension Package for ebRIM Application Profile: Earth Observation Products

0 2 147

Prototyping User Interfaces in HyperCard

0 0 53

Monitoring and Metering User Interfaces

0 0 6