shibboleth-dev - trust.xml
Subject: Shibboleth Developers
List archive
- From: Noah Levitt <>
- To:
- Subject: trust.xml
- Date: Tue, 21 Sep 2004 21:33:31 -0400
- Secret-nsa-message-id: 3b026257dfe9ed894171dbbb76f5b2ba
Hello,
Are these observations about trust.xml as it's used in the
shib implementation correct?
1. In a <KeyAuthority> the <ds:KeyName> must correspond
to a providerId. Putting a DN or a CN in there never got
it to match anything for me.
2. Putting a cert in a <ds:KeyInfo> and outside a
<KeyAuthority> does not make the shar trust anything.
(What is the purpose of <ds:KeyInfo> outside of
<KeyAuthority>?)
3. The most specific providerId for a given relying party
that matches a <ds:KeyName> is the only KeyAuthority
tried when matching a cert. So if relying party has its
own <KeyAuthority>, but there is also another
<KeyAuthority> for the federation of which the IdP is a
member, only the former will be used. Also, if the same
<ds:KeyName> appears in multiple <KeyAuthority>s, only
the first match will be used, others will be ignored.
Perhaps these things, or the relevant correct information if
this stuff is wrong, could be documented?
Noah
- trust.xml, Noah Levitt, 09/21/2004
- RE: trust.xml, Scott Cantor, 09/21/2004
Archive powered by MHonArc 2.6.16.