Shibboleth Developers

["Scott Cantor" <>]

I've checked in a schema update and created a MetadataExtensions topic:

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/MetadataExtensio
ns

The "new" proposed KeyAuthority is outlined there. Main difference is it
carries multiple KeyInfo elements, one per CA (a more correct use of the
element than what I was doing with it).

Only real issue I can see is the VerifyDepth interpretation. One approach is
to treat each KeyAuthority extension as a unique/distinct path building
operation, in which case it's clear to just apply the VerifyDepth as
specified.

This is slower than rolling up any certificates across applicable extensions
and doing one big path building operation, but I'm not sure what the right
VerifyDepth is in that case.

-- Scott