Shibboleth Developers

["Howard Gilbert" <>]

> That is what path validation already does if the objects in the tree are
> used as trust anchors during the validation process. What is the point of
> doing this again?

I think we can close this with a compromise.

I will agree that given the two current codebases (Java and OpenSSL), we can
use library Certificate validation routines to do Trust, just because we can
make it work.

I will ask Scott to note that this is an implementation trick that would not
transfer to another system (such as Shibboleth.NET were there such a thing,
because the Microsoft library may not, and I have not verified this, give
you a way to validate certificates against a custom list).

In Java, as I read the documentation, I pass each X509Certificate from the
Metadata Extensions to the constructor of a TrustAnchor object. I pass a Set
of TrustAnchor objects appropriate for a particular validation to the
constructor of the PKIXParameters object. I pass the Certificate and the
PKIXParameters object to the validate() method of a CertPathValidator object
obtained from CertPathValidator.getInstance("PKIX").

Now assume for a minute that alqaedau.edu.bd in Bangaladesh wants to join a
Federation. Their administrator, 

 fills out the forms and
submits a self signed CA to be trusted. Plausibly we want the CA to be
authoritative only for the Roles under the Entit(ies)Descriptor containing
this CA Certificate. We cannot rely on the Cert to do name restrictions. The
requirement is we cannot allow this CA to appear in a validation algorithm
for any other Entity in the Federation, or if it does we have to ensure that
it is used only for *.alqaedau.edu.bd hostnames.

This leaves one choice and one strawman:

1) Create a custom PKIXParameters object per Entity [preferred]. It is
constructed from a set of Certificates from the Roles of that Entity and
from the Metadata Extensions of the EntityDescriptor and its parent
EntitiesDescriptor. It is used to validate certificates presented with
regard to the Roles of this Entity.

2) Create a name restriction byte[] per Entity and pass it to
CertPathValidator along with a PKIXParameters object that aggregates all the
CAs in the Metadata. This is harder because a name restriction byte[] is an
ASN.1 production, and it is sloppier because it goes out of its way to
create a problem for which there is then a very difficult but theoretically
feasible solution. 

Disclaimer: Code cannot be assumed to work just because there is Javadoc.
Needs to actually be written and tested.