Shibboleth Developers

[Ian Young <>]

Scott Cantor wrote:

> > Sounds like I'd still need to worry about this if I had 1.2 SPs around 
> > (which I do).  Fair enough, as long as having the extra junk around does 
> > no harm which it sounds like it won't.
>
> You need the root for the SP to work, and you need the intermediate for the
> IdP to work.

That's very concise; thanks.

> So in practice, chaining at this point is probably a bad idea
> that will serve to confuse.

We don't do chaining for our federation's private CA, that seemed like 
extra complication back then and given this I'm really glad in 
retrospect that we didn't go there.

Some commercial CAs have really exciting signing chains, though, and 
several federations already accept certificates from some such CAs. 
SwissSign (SWITCH use them) and GlobalSign (at least SDSS, Athens and 
InQueue use them) are examples known to me.  So this boat has sailed, 
whether chaining seems sensible or not (and I'm not expressing an 
opinion on that).

It might be worth Steven Carmody including something about this next 
time there is a mailing to the federation technical contacts.

        -- Ian