Shibboleth Developers

["Scott Cantor" <>]

We came to some agreement to look at using an XML file to configure some
of the necessary machinery in the target. Because I'm already working
with the parser in my APIs, I think it makes sense for me to try and
provide *some* of the configuration implementation, though probably not
all of it.

I also want to keep the SHIRE config and the WAYF config as distinct as
possible, for hopefully obvious reasons. The connection between these
two sets of records is the domain name of the origin site.

For the SHIRE:
        Origin Site Name (a DNS domain)
        Handle Service Name (a DNS name only, this isn't the full URL)
        Handle Service Certificate (optional)

The way the SHIRE's processing works, the incoming assertion contains
both the issuer and the origin site name which can be checked against
each other and this local store. The assertion can include the cert to
verify with, or it could be found locally. The way I see the Club Shib
PKI working is like so:

If certificate found in local store Then
        Verify assertion's signature with it
Else If certificate found in assertion Then
        Verify that its subject equals the assertion issuer
        Verify that the signer of the certificate is trusted
        Verify signature with it
Else
        Fail

What this does is let you preconfigure certs or rely on the cert's
signer, as you see fit.

My code should do most of this work. If you hand the assertion
constructor a key, it will assume you're in the top half of that
pseudocode and will attempt to verify the signature with it. If you
don't give it a key, then my code will look for one in the assertion and
verify the signature with it.

I will make some small changes to my SHIRE API to faciliate the
certificate checking and make it overridable for other PKI policies. I
was originally going to make the SHIRE do the work, but I think I see a
better way to handle this.

Now, on the WAYF side of things, I think I'm going to leave that alone
for now. The basic information we need to configure in is keyed off of
the handle service DNS name (which maps back to the SHIRE's local trust
store) and includes the full URL and the searchable names to match with,
but the details probably depend on what kind of interface we want to
throw together for searching in the alpha code.

I'll revise my APIs, update the docs, and provide schema for the SHIRE
trust store shortly.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--