Shibboleth Developers

["Scott Cantor" <>]

It seems like what you're really trying to do is address a pair of issues,
and I think inventing a new protocol to get an authentication assertion and
sticking that in a certificate is probably overkill for both.

You seem to be aiming at:

- supporting pseudonymity using transient subject names

- getting a subject name into the certificate that will be understood by the
SAML authority later

Those goals are separable, of course.

One way of doing this that solves both issues is essentially what the
LionShare CA does, using the self-encrypted handle generator to build an ID
at the CA that can be decrypted by the SAML authority. Personally, I think
that's the easiest solution.

Alternatively, this seems more like a use case for the SAML 2
NameIdentifierMapping protocol, perhaps extended a bit. What you want isn't
an authentication assertion, you just want a NameID that is valid for a
particular principal in a particular format. Then you can just put that name
in the certificate subject.

-- Scott