How does the spell Mind Blank interact with shapeshifters and other forms of false identity?

Mind Blank states:

Until the spell ends, one willing creature you touch is immune to psychic damage, any effect that would sense its emotions or read its thoughts, divination spells, and the charmed condition. The spell even foils wish spells and spells or effects of similar power used to affect the target’s mind or to gain information about the target.

How does the spell Mind Blank interact with shapeshifters and other forms of false identity?

Are all aspects of their identity protected, or just information associated with their true form/name?

  • For example, can a guard give a description of a changeling’s persona via sending since it is not their natural form?

Do we need to guard against federated identity servers lying about who signed in?

Having successfully integrated my old web forms app with an ADFS server I got to thinking about how the process works as a whole. The old app passes the user to the remote ADFS, then eventually the user arrives back in our server having a signed-in identity of joe.schmoe@somedomain.com but I’m not entirely clear on whether I’m supposed to trust that’s right, or whether I’m supposed to try and ensure it’s right.

Supposing that a rogue actor at somedomain.com replaces the sign on at the remote end or manipulates it in some way such that my local server ends up being told that bigboss@somedomain.com signed in (when it was actually tom.hacker@somedomain,com), or worse that bigboss@otherdomain.net signed in, what do we do with such situations?

Is this handled already by the auth process such that we can be sure there are some local rules that enforce the federated server may only return users with some characteristic such as "must really be a user of somedomain.com, for which you know this identity server is responsible" ?

When we hand off authentication to a third party, and get the "user X auth’d successfully", do we need to be wary about whether it’s truly user X and whether the server confirming the identity truly has authority to do so for the user given?

At the moment I’m thinking I should also implement my own local check that the announced user matches a pattern to ensure the federated server isn’t used to break into other domains’ accounts and also implement 2FA to give some extra check that the user announced truly is that person

What’s the difference between the endorsement key and the attestation identity key within the TPM?

I’m trying to make notes about the TPM and what it does. More specifically I’m looking at the 3 RSA key pairs: the ‘endorsement key’, the ‘storage root key’ and the ‘attestation identity key’.

This is what I have written so far:

The ‘Endorsement Key’ is an RSA key pair where any data sent to another device is encrypted using the private key and the receiving device decrypts it with the public key, so it knows the data is trusted. This is created when the TPM is manufactured (not user-specific)

The ‘Storage Root Key’ is a pair of RSA keys within the TPM and is used to protect TPM protected keys created by applications and stored outside of the TPM, so that these keys cannot be used without the TPM. It’s created when you take ownership of the TPM (If user changes so does the key)

However, I am now trying to research the use of the attestation identity key but don’t understand how it is different from the endorsement key? If anyone could explain in simple terms because this is all new to me I would greatly appreciate it 🙂

Is identity certificate same as public key?

I’m new to public key infrastructure. I think I understand how public key encryption works, conceptually. So public key is, by definition, public and not a secret. Recently when I came across the term identity certificate and read about it, it sounded very similar to public key of an entity. But, it was not explicitly stated whether they are same or different.

My questions are…

Is identity certificate same as public key? If no, then is identity cert considered a secret?

How are they related?

How to rate a CVSS score for a vulnerability on an identity provider

I’m having difficulty to rate a CVSS for an Identity Provider. Imagine you have a vulnerability where you can bypass an authentication mecanisme.

How would you rate :

  • Confidentiality (C)
  • Integrity (I)
  • Availability (A)

as you don’t how with which system it will be connected ?

The scope is changing, but I can’t just asume the worst scenario, it will just raise the score unnecessarily.