Shibboleth Developers

At 1:08 AM -0400 5/14/03, Scott Cantor wrote:
> Chatted with Walter briefly on this, thought I'd distribute a little 
> wider now that it's crystallized a bit. I've worked on some
> extensions to the metadata schema to drive the trust evaluation at 
> the SHIRE, which is the only spot that's completely under our
> control (the rest is SSL stuff and currently handled somewhat under 
> the covers).

This looks very interesting... tho its going  to take a few tries to 
full understand it... let me start with low level questions, trying 
to better understand the model.....

> For example I can configure my OSU target thusly:



> Now I can trust both external and internal sites, but use a 
> different CA for each set. I'll have to configure my SHAR with both 
> CAs,
> but the AA trust still flows somewhat from the original SHIRE step, 
> so if I trust that part, I can trust the AA name/location to be
> ok for now.

how would we deal  with the situation where osu.edu has to be in both 
groups/federations? (ie you'd like "regular" osu folks to be able to 
access your local targets?)

I suppose you could operate a second AA,  making assertions on behalf 
of a differently named osu domain. And then include that second 
domain in the osu group.

But, suppose you didn't want to do that.. and instead wanted to have 
the osu origin in BOTH incommon and the osu federation.....

how would that affect your target side algorithms?

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--