Shibboleth Developers

[Scott Cantor <>]

> -- 3.a.ii  -- Key generation; in the keytool commands, it might be 
> useful to mention  which parameter values MUST match which values in 
> the  web.xml file...

It's kind of the other way 'round, the web.xml settings should match
what you put in the keystore, but it would be good to reference it.

> -- 3.a.ii -- values to enter during key generation;  we might to 
> explicitly mention that the command asks you for "first and last 
> name", and that you should enter the dns  name for the host. For 
> consistency, might want to offer  a recommendation on what to enter 
> for OU, O,L, and state.

I thought I recalled the Name prompt being a bit weird, yes. Definitely
need to explain that first and last name is the common name.

> -- 4.b.ii -- (displaying my experience level with openssl....) are 
> the keys and certs put in a "standard" place? I don't think this 
> sectionsays anything about where to put them...?

OpenSSL isn't an application, so it doesn't care about them. mod_ssl
puts its stuff by default in a bunch of ssl folders underneath
apache/conf, which is what my example config shows.

If you're not sharing a key/cert with your server, you can generate and
place them anywhere. I would generally use the conf/ directory for that,
I usually put my DCE keytabs and such there, for example. But it doesn't
really matter.

I'll try and supply some better text shortly.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--