Shibboleth Developers

[Scott Cantor <>]

> No, just that the target service accepts identity credentials from the
> user's origin domain (e.g. it trusts the CA that issued the user's
> EEC).

It doesn't *have* to, but the only difference is where the validation is
done, not in the actual process. If you send the certificate to the
authority and it signs the resulting assertion (or uses SSL, etc.), then
that can effectively act like a counter-signature of the original
certificate binding it to the subject of the assertion (or the assertion can
even have a key confirmation in it that you tie back to the original cert).

Both models are possible depending on what code you've got and what you want
it to do.

> Right. I think we've had discussions in the past if Shib could use a
> Subject name instead of a handle. The answer I believe I've gotten is
> "yes with some work".

Yes, with some work if you want good security and the ability to run one AA
servlet supporting both types of names. I do principal name queries against
one of my AAs today, but I have to lock it down.

-- Scott