Skip to Content.
Sympa Menu

shibboleth-dev - RE: QIK proposal re public key management

Subject: Shibboleth Developers

List archive

RE: QIK proposal re public key management


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'RL 'Bob' Morgan' <>, 'Shibboleth Dev Team' <>
  • Subject: RE: QIK proposal re public key management
  • Date: Thu, 16 Oct 2003 12:07:16 -0400
  • Importance: Normal
  • Organization: The Ohio State University

I chatted a little with Paul at the Santa Clara Liberty meeting about trust
metadata and he wasn't sure whether this work was like/unlike what we were
playing around with in Shib, but I thought we should eventually look into
it.

It is not being worked on actively in Liberty at this point, and Liberty
metadata basically takes the "stick the key in the metadata" approach.

My semi-unstated direction has been to begin to migrate our operational
metadata to the Liberty->SAML stuff, but use <KeyName> to reference a named
physical entity that owns the keying material, if necessary. Thus
maintaining some separation between the standards-based metadata and the
<Trust> schema that I built at your suggestion so that we could move toward
some other approach for that later.

For example, to maintain a CA-based validation of incoming signatures from a
site, its metadata could include a KeyName containing the subject of the
certificate it will send with the signature. The validation process would
then use the <Trust> data as now to locate appropriate CAs and check the
cert and its subject.

It's worth noting I think that we'll probably never achieve much real
interop with commercial SAML this way, since most products will no doubt
expect certs to be in the metadata. It's my intent to support that in the
code for that reason.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page