shibboleth-dev - How important is interop?
Subject: Shibboleth Developers
List archive
- From: Scott Cantor <>
- To:
- Subject: How important is interop?
- Date: Wed, 23 Apr 2003 22:56:17 -0400
- Importance: Normal
- Organization: The Ohio State University
I've discussed this on IRC a bit, but I have to make a decision now, so I'm
opening up the question again...
Despite what I said last release, the signature code is still a mess because
SAML 1.0 has some deficiencies that can't really be
solved without some ugly work-arounds. When we shipped 0.8, I assumed that I
was stuck with that approach for the foreseeable
future, so I sort of promised interop with 1.0.
Well, much to my surprise, SAML 1.1 is closing in on last call, and the
interest in getting it right has been superseding
compatibility. As of now, it's possible for me to implement the expected 1.1
changes now, get the signature profiles fully
implemented and correct for both Shibboleth and the other SAML developers out
there, and just close the book on this until SAML 2.0
changes everything again.
But I can't make it compatible with 0.8 if I do that without a lot of work.
In particular, the SAML 1.1 code will reject messages
from 0.8 in certain cases because of a small difference in the allowed values
in the message ID attributes. I didn't expect that to
happen (this makes SAML 1.1 backward-incompatible with SAML 1.0 messages,
which is a very surprising step), but it makes clean
interop more complicated, particularly since I validate messages with a
schema.
As things stand now, we have an origin site that doesn't really work all that
well as far as attribute access, and a target site
that isn't secure. I'm not going to mince words on that, it's simply not
doing any of the checking that a real PKI app would need to
do to be correct in even a limited sense.
So I'm inclined to apologize now rather than later, but if we really have to
work with 0.8, then I can live with it. I'll be forking
off OpenSAML pretty quickly after 0.9 to support SAML 1.1 though, because
people are waiting on me to get signing of assertions
fixed.
-- Scott
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- How important is interop?, Scott Cantor, 04/23/2003
- Re: How important is interop?, RL 'Bob' Morgan, 04/24/2003
- RE: How important is interop?, Scott Cantor, 04/24/2003
- RE: How important is interop?, RL 'Bob' Morgan, 04/24/2003
- RE: How important is interop?, Scott Cantor, 04/24/2003
- RE: How important is interop?, RL 'Bob' Morgan, 04/24/2003
- RE: How important is interop?, Scott Cantor, 04/24/2003
- RE: How important is interop?, RL 'Bob' Morgan, 04/24/2003
- RE: How important is interop?, Scott Cantor, 04/24/2003
- Re: How important is interop?, RL 'Bob' Morgan, 04/24/2003
Archive powered by MHonArc 2.6.16.