Shibboleth Developers

["Scott Cantor" <>]

> You have example.org, example.com, and example.net to play 
> with.  It would be nice if example.edu were in this group of 
> protected domains, but unfortunately it's not.

I actually pushed back against using example.edu so as to counter the "Shib
is only for universities" myth.

> First prerequisite is that the default config run on a single machine.
>  This encourages people to download and test on their laptop 
> or whatever they have available.  (You do want to encourage 
> people to try the software, right? :)  To meet this 
> requirement, any config will do (one entity, two entities-one 
> domain, two entities-two domains).

Well, they don't do this. We thought they might. And maybe they will once
both halves are in Java, but I'm dubious of that as well. The truth is, the
Java is as foreign to many people as building a bunch of source is. So in
practice, this config goes unused except by people behind firewalls, who
usually can't deal with much of anything.

I think its main purpose is illustrative, which you partly noted. Most
people only download half of it and they expect it to just work as weird as
that sounds. That's why the InQueue samples are critical (allowing for the
Example State site accepting these dummy certs).

> Second prerequisite is that the default config generalize 
> with as little pain as possible.  By "generalize" I mean two 
> separate hosts, which is needed to solve bilateral trust in 
> full generality.  This requires two entities-two domains.  
> That opens the door to federated trust.

I don't see why two hostnames in one domain isn't sufficient for this.
There's no practical difference that I can think of. You can obviously fill
in any domain name you want and things are exactly the same.

My concern is that example.* are the only "clearly" reserved domains, and I
believe (I guess this is the point of disagreement) that having both
example.com and example.org (or net) will lead to confusion, but I don't
feel strongly about it.

Anyway, I'm leaving it alone for now so I don't screw anything up, and if
others think we should change the names or split the metadata files up, we
can do that before the final release.

-- Scott