Shibboleth Developers

[Scott Cantor <>]

I'm starting to flesh out a design (ok, I'm coding, but same diff for me)
for the way I want to handle Shib targets (and potentially origins I think,
but Walter and I can discuss) to figure out what credentials to use for a
given transaction.

Specifically in a target, it tells the code what key and certificate chain
to use when doing TLS. I want to make this controllable the way we do the
trust checking, based on the identity of the AA or on the site or its site
groups.

So I could say "use this cert for this site, but this cert for any other
sites in this federation/group".

My current drafty notion is to create a new interface called ICredential
that the target would use to "attach" policy and credentials to the SSL
connection before it inits. In turn, the first implementation of that
interface would be an XML provider that uses essentially the same schema as
the trust.xml file:

<Credentials>
        <KeyAuthority>
                <ds:KeyInfo>
                        stuff
                </ds:KeyInfo>
                <Subject regexp="true">^urn:mace:inqueue:.+$</Subject>
        </KeyAuthority>
</Credentials>

KeyAuthority is a dumb name for this, but I can change that, it just happens
to already have the schema I want. It's mapping credentials to subjects that
are being interacted with. So rather than a binding of cert to entity, it's
binding key/cert to entities at the other end of the connection. Maybe
KeyUse would be a better name.

Anyway, the interesting part is the "stuff". KeyInfo is really wide open,
and so I want to use it as much as possible to point to or contain the keys
and certs. I've found that RetrievalMethod is one good element for this,
since it can say "find the thing of this type at this URI". The only hitch
is there aren't many "types" defined, apart from XML-type stuff. The only
one it does have is a way to pull in a DER X.509 certificate, so I
implemented that.

Then I started defining my own Shib URNs to define other important types,
like PEM certs and PEM RSA keys.

So I'm looking for feedback on what credential formats I should
support/define. Do we need anything apart from:

X.509 DER local file
X.509 PEM local file (includes a chain of PEM certs in a file)
X.509 chain inband as XML like in the trust file
RSA key PEM local file
RSA key inband as XML (maybe weird, but it's easy to support)

I would imagine we'd want to include Java keystore types for future use,
whether origin or target, but those won't likely be RetrievalMethod based,
we'd want our own KeyInfo structure for that to specify important details
like keystore type and such.

Obviously, smartcard or other token based ways of getting keys might make
sense, but if we're not gonna code it yet, I don't think I'm going to define
that.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--