Shibboleth Developers

["Scott Cantor" <>]

> So if the IdP finds the SP's cert in that attribute, everything is
> fine?  Does the IdP make any (implicit) assumptions regarding this
> cert?i

If it's actually in the metadata, we do nothing but compare them. Every
other aspect of the cert is designed to take the established key proof and
claim that it doesn't apply (i.e. it makes things break). So we ignore it
unless we have to validate a chain to establish trust using a metadata
extension.

> So now the certificate is validated twice?  Once by mod_ssl and again
> by the new trust validation code in the IdP?

No. mod_ssl can skip validation very easily. SSLVerifyClient optional no_ca

> So what was the rationale for embedding trust validation in the IdP?

Simpler trust configuration than mod_ssl offers, dynamic evaluation based on
the request, the ability to do direct certificate comparison, which is all
90% of the people downloading it want to do, and the ability to control the
error messages (or at least more of them, I think Java's probably rival
Ralf's for horridness). Just for starters. It's the final step in a process
we started years ago and took 4 releases to finish.

Whether Tomcat or Java itself is too broken to support all of this by itself
has never really been a deal-breaker for me, or very important in the scheme
of things once we knew Apache could. It's simply how it should work
(assuming we use TLS at all of course).

I've only just been setting a few test installs up, and I'm already totally
sold, we nailed it.

-- Scott