shibboleth-dev - RE: NameIdentifier TTL
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: NameIdentifier TTL
- Date: Mon, 12 Dec 2005 11:19:01 -0500
- Organization: The Ohio State University
> > Shibboleth identifiers are as SP-specific as you want them to be.
>
> Could you explain a bit more what you mean? (The target SP is not
> involved in the production or consumption of the identifier AFAIK.)
If that's true, then the API is broken, since we can't do federated IDs
without that parameter. I assumed if it was available to the attribute
resolver that it would be available to the ID resolver. I suspect it would
be a trivial hack to get it added in.
> Sorry, I failed to make things clear before...the CA *is* generating
> the key for the client.
Umm. That's not how the kX.509 thing works at Michigan, I don't think, so
why would anybody accept that? The client should generate the key and send
the public half up to the CA to get the cert issued...
> Okay. So specifying Conditions to hold the TTL is the way to
> go in this case?
Assuming you mean NotBefore and NotOnOrAfter, then yeah, that's probably
what I would do.
-- Scott
- NameIdentifier TTL, Tom Scavo, 12/09/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
Archive powered by MHonArc 2.6.16.