Skip to content

Trusted Proxy Entity Authentication

Wesley Miaw edited this page Nov 13, 2017 · 2 revisions

The trusted proxy entity authentication scheme provides a means by which a trusted intermediary can communicate on behalf of a third entity. For all intents and purposes the authenticated entity identity is the third entity’s identity. However authentication is performed against the proxy. Therefore, trust in the third party’s entity identity is only as strong as trust in the proxy. It is strongly recommended that the proxy authenticate the third entity.

The proxy may use any other entity authentication scheme, however it is important to restrict the trusted proxy authentication scheme to specific proxy entity identities that are trusted and to specific proxy entity authentication schemes to prevent abuse.

Encryption and authentication is provided if the proxy’s entity authentication scheme provides encryption and authentication.

This scheme is identified by the string TRUSTED_PROXY.

Authentication Data Representation

authdata = {
  "#mandatory" : [ "identity", "signature", "proxyscheme", "proxyauthdata" ],
  "identity" : "binary",
  "signature" : "binary",
  "proxyscheme" : "string",
  "proxyauthdata" : object
}
Field Description
identity encrypted third entity identity
signature verification data of the encrypted third entity identity
proxyscheme proxy entity authentication scheme
proxyauthdata proxy entity authentication data

Identity & Signature

The third entity identity is encrypted with the proxy’s entity encryption mechanism. The verification data is computed over the encrypted identity, using the proxy’s entity authentication mechanism.

Encryption

The encryption mechanism is equal to the encryption provided by the proxy entity authentication scheme.

Authentication

The authentication mechanism is equal to the authentication provided by the proxy entity authentication scheme.

Clone this wiki locally