Shibboleth Developers

[Thomas Lenggenhager <>]

--On 6. Juli 2005 12:43:06 -0400 Scott Cantor 
<>
 wrote:

> > Some commercial CAs have really exciting signing chains, though, and
> > several federations already accept certificates from some such CAs.
> > SwissSign (SWITCH use them) and GlobalSign (at least SDSS, Athens and
> > InQueue use them) are examples known to me.  So this boat has sailed,
> > whether chaining seems sensible or not (and I'm not expressing an
> > opinion on that).
>
> Yeah, I know the reasoning, but I'm not really sure people understand the
> implications of using those kinds of certificates. The deeper the chain,
> the more likely it is that there are no controls on name clashes across
> the hierarchy.
>
> This will obviously go in the wiki regardless.

We are aware of the problem such chains include and hopefully we will
not have to live for too long with that, but we had the requirement
for server certs signed by a CA included in the browser. So that there
are no browser pop-ups and no root cert to be installed by the user.

Thomas