Shibboleth Developers

So, we have access to the source for two web important webdav clients 
(OS X, linux), and in the case of microsoft -- as  Scott has noted:

At 11:56 AM -0400 9/24/03, Scott Cantor wrote:
> I wasn't specifically looking at Microsoft with that comment, but in their
> case, all they need do is document the file system interface, and they have.

so.... how would we like this to work?

Here's an intentionally dumb strawman......

- the client connects over TCP (or SOAP) to the local Handle Dispensing 
Service

- the client authenticates using the local convention (provide 
kerberos service ticket, PKI, etc)

- HDS returns signed SAML  Authn Assertion, containing handle

- client POSTs handle to SHIRE on the WEBDAV server

- SHIRE creates session, creates cookie, redirects to real target 
(webdav server)

- client accepts redirect, issues HTTP GET  to webdav server (along 
with the shib session cookie)

- webdav server recognizes shib protected resource, triggers 
mod_shibrm, which triggers SHAR, which asks origin for attributes, 
and then runs shib access control decision (using attributes)

- webdav server responds

is this OK? How  should this *really* work?

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--