Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Mon, 1 Nov 2004, Keith Hazelton wrote:

> Question about coming support in Shib AA for scenarios where user 
> presents an X.509 cert to SP and the cert contains a useful subject 
> identifier and a pointer to a corresponding IdP.
>
> Do I understand this centers on the addition of key holder token support 
> to the Shib AA to complement the current bearer token (if my terminology 
> is correct)?  What's the priority, timeline, etc.?  Relevant to how we 
> pitch Shib / PKI (user certs) here at UW-Madison in the near future.

You may be thinking about the scenario discussed with Lionshare, where 
client cert authentication to the SP just establishes the client as 
possessing a particular private key (known to SP by its corresponding 
public key of course), and the attribute assertion uses holder-of-key 
subject confirmation to tie that key to the assetion and hence to the 
asserting authority.  This has the effect of shifting the path-processing 
burden from the pure X.509 venue (client cert validation) to the SAML 
venue (holder-of-key confirmation).  This is probably appealing in the 
Lionshare case which is peer-to-peer oriented and hence somewhat more 
fluid.

The Grid case that Steven mentions does full validation of the client cert 
at the SP, and so might use a name-based attribute assertion (ala current 
Shib, only with relatively long-lived name instead of handle), and avoid 
any need for holder-of-key confirmation.  It seems to me as though we may 
need to support both of these in Shib, but perhaps that's what we need to 
discuss.

 - RL "Bob"