Skip to Content.
Sympa Menu

shibboleth-dev - Re: Origin site registry schema

Subject: Shibboleth Developers

List archive

Re: Origin site registry schema


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Scott Cantor <>
  • Cc: Shibboleth Design Team <>
  • Subject: Re: Origin site registry schema
  • Date: Mon, 10 Jun 2002 10:47:16 -0700 (PDT)

> I just checked in a new shibboleth.xsd schema

So I guess I'm behind the technology curve here, but I don't know how to
get hold of this .xsd file ...

> A sample containing just OSU is below:
>
> <OriginSites>
> <OriginSite Name"osu.edu">
> <HandleService Name="hs.osu.edu"/>
> <Domain>*.osu.edu</Domain>
> <Domain>hangonsloopy.com</Domain>
> <Alias>The Ohio State University</Alias>
> <Alias>Buckeyes</Alias>
> </OriginSite>
> <ds:Signature>
> .....signed by Internet2
> </ds:Signature>
> </OriginSites>

Here are a few comments.

Seems to me the enclosing element would just be "Sites". I don't know why
we'd want to force having to sign origins as a separate element from
signing targets. Obviously we want to have distinct schema for origins vs
targets; though even there some factoring would seem to be appropriate, eg
a site has a Name no matter what kind it is.

> Each site includes the "canonical" name, the handle service name
> (optionally can include a KeyInfo inside that element for a key or
> certificate), any additional domain regexps to allow attributes in
> (osu.edu is implied), and aliases for the WAYF. I included xml:lang
> support on the aliases to permit i18n of names for our non-English
> friends.

Seems like if several Aliases can be offered it would be necessary to
distinguish one as the preferred one. I could even imagine distinguishing
Aliases by type ("official name", "mascot name"), but let's not go there
yet.

I don't think that *.osu.edu should imply osu.edu. I think it might be
useful to be able to distinguish these for administrative purposes.
However, since matching rules are potentially mysterious, I think we
should re-use existing rules here if we can, and those that most closely
apply, it seems to me, are those from the HTTP cookie mechanism in RFC
2965. However, I can't tell at first skim how these work.

- RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


Archive powered by MHonArc 2.6.16.

Top of Page