Shibboleth Developers

[Tom Barton <>]

Walter Hoehn wrote:
> A couple of comments.  Sorry if we've been over these before, but it's 
> been a mighty long time since we've discussed it.
>
> 1) In section I.2a it seems that it would be more inline with current 
> practice to place and IdP provider id in the certificate extension.  
> This could then be used to lookup the set of valid attribute query 
> endpoints.

Ok. What "resolver" is used to look them up? Are you referring to 
metadata maintained and distributed to IdPs and SPs by a 3rd party (a 
federation), that an SP would use to look up a provider id?

> 2) Sections I.3 & I.4 also seem a little fishy.  Why must an AA be 
> "uniquely" identified by a certificate?  Are you planning to use 
> shibboleth metadata interfaces?

I think the intent is to be able to do mutual authn between AAs and grid 
services - 'unique' in the sense of there being at most one cert in the 
SP's possession which can be used to authenticate an SSL connection with 
a given AA. Identification of AAs needn't be done this way.

> -Walter
>
> On Jan 18, 2005, at 5:46 PM, Von Welch wrote:
>
> > Below are pointers to our draft Grid-Shib profile describing, from a
> > Shib perspective, how we plan Shib-Grid integration. These are
> > refined versions of the scenarios I posted last January.
> >
> > They need a little preamble to set context to stand-alone and some
> > polishing, but we'd be interested in any feedback from this group on
> > the technical approach.
> >
> > The two documents are the same content, just different formats.
> >
> > http://grid.ncsa.uiuc.edu/GridShib/docs/GridShib-Profile-03.doc
> > http://grid.ncsa.uiuc.edu/GridShib/docs/GridShib-Profile-03.pdf
> >
> > Von