Shibboleth Developers

["Scott Cantor" <>]

> I thought InQueue's problem was that it got into production sites,
> thereby defeating all your excellent crypto code.

shibtest is literally going to generate the key for you and hand it back on
a web page. I don't know what else we can do to prevent misunderstandings,
but I think starting with the loud message that it's not secure will help.

InQueue's message was decidedly mixed at times.

> > But frankly, popping the stack here, the issue is not defaults or how
> > people *should* start...it's installation/config scripts that can
> > prompt for the information and get the files changed. And we don't have
> > those yet.
> 
> Well, I wasn't complaining.  But we were asked to comment.

I'm complaining about myself if anything, but mostly just commenting on your
comment. We can rathole a lot on the right defaults, but the point is none
of the defaults we've used have avoided the problem of initial setup
options, and I think that's what needs to be improved first.

-- Scott