Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Wed, 14 May 2003, Scott Cantor wrote:

> Well, so far, I've presented a first draft that requires:
>
> a) one sites file

I'm trying to understand this too.  I'll admit to not being that familiar
with the existing sites file schema.  Is the intent that SiteGroup
represents what we call a federation?  How is the SiteGroup structure
reflected in the code?

I guess there are choices here regarding XML objects, signatures, XML
documents, and files (or does one file = one XML document?).  Given the
underlying technology I guess things could be done any number of ways:  a
federation authority could issue a bunch of little files, each containing
a signed object containing a single Site element; or it could put out a
big file/document with those signed objects in it; or it could have a big
file with one signature over the set; etc.  And the target has some of the
same choices:  merge objects into one file, etc.  I don't know how we
decide what's reasonable here.

Seems to me like a model where federations issue a singly-signed document
listing their (origin) sites, standalone origins can do the same, and
targets can stick all these documents in one place (much as they do with
CA roots) in order to rely on them, is straightforward.  But making the
XML hackery work right may be the most important, I dunno.  Or maybe I've
misunderstood the choices here.

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--