Shibboleth Developers

["Scott Cantor" <>]

> I will ask Scott to note that this is an implementation trick that would
> not transfer to another system (such as Shibboleth.NET were there 
> such a thing, because the Microsoft library may not, and I have not 
> verified this, give you a way to validate certificates against a custom
> list).

This is a fairly different sort of question, that I would recast as "is PKI
library X usable in the real-world or only for running PKIX test vectors?".
Of course, it gets harder as you move up the stack (SSL, XMLSig) and I think
I understand you now (sorry for the confusion). You're saying that
implementing the concept of validation against a per-entity list of CAs is
potentially non-portable, and so it may be necessary on some platforms to
implement this using a second pass apart from just path validation. You're
probably correct. It took me three versions to do it without a separate
step.

> 1) Create a custom PKIXParameters object per Entity [preferred]. It is
> constructed from a set of Certificates from the Roles of that Entity and
> from the Metadata Extensions of the EntityDescriptor and its parent
> EntitiesDescriptor. It is used to validate certificates presented with
> regard to the Roles of this Entity.

That is roughly how I do it now (substituting X509_STORE for
PKIXParameters), except for using a separate file, so I had to tie them
together with naming rules. I don't combine sets of certs by applying
multiple matching sets, but that was just a choice.

I have a question though, are you saying that we wouldn't special-case the
embedded key option? The advantage there is bypassing certificate baggage
entirely, as well as not even having to include the certificates in signed
messages in some cases.

Intuitively, I guess I would expect to leave out Certificates found inside
actual KeyDescriptors from this process, and use those first by extracting
just the public key. The validation option would be secondary if that fails
or no keys are present.

-- Scott

PS. This still sidesteps the real question...is it worth it? Bob clearly
thinks so. Walter thinks not, Jim knows he doesn't need it (as do I). Who
does? Shouldn't somebody actually want this?