shibboleth-dev - RE: Testing SP against IQ
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: Testing SP against IQ
- Date: Mon, 19 Sep 2005 14:01:24 -0400
- Organization: The Ohio State University
> Something is wrong here. Either there is a missing KeyDescriptor in the
> Metadata, or checkname should be false, or the code in validate() is
wrong.
> I can figure that much from stepping through the Java, but which of the
> three is the problem requires help from one of you guys.
In my way of thinking, checkName should be false. I added that option
(copying what I had done in C++) so that the transport layer could be used
to do key name checking and then it could be skipped when appropriate if the
calling code knew to do this.
My TLS client library does key name checking (if it's told to) using the
full TLS algorithm (subjectAltName or CN), so I let it. Then I just pass
false when I do the path validation later.
My thinking was that most SAML products are not going to handle an
arbitrarily named server cert, so I didn't worry about supporting that
because it would just get people in trouble long term if they did it.
Note that this only applies to the TLS client, not the TLS server, which
does validate the name in the client cert against KeyDescriptors.
-- Scott
- Testing SP against IQ, Howard Gilbert, 09/16/2005
- RE: Testing SP against IQ, Scott Cantor, 09/16/2005
- RE: Testing SP against IQ, Howard Gilbert, 09/19/2005
- RE: Testing SP against IQ, Scott Cantor, 09/19/2005
- RE: Testing SP against IQ, Howard Gilbert, 09/19/2005
- RE: Testing SP against IQ, Scott Cantor, 09/19/2005
- RE: Testing SP against IQ, Howard Gilbert, 09/19/2005
- RE: Testing SP against IQ, Scott Cantor, 09/19/2005
- RE: Testing SP against IQ, Howard Gilbert, 09/19/2005
- Re: Testing SP against IQ, Steven_Carmody, 09/16/2005
- RE: Testing SP against IQ, Scott Cantor, 09/16/2005
Archive powered by MHonArc 2.6.16.