Shibboleth Developers

["Scott Cantor" <>]

> Would the following metadata file excerpt (which I contructed 
> reading the schema files) work?

I don't think RetrievalMethod is supported. It could be, but it's pretty
worthless in this context.

> Will Shibboleth be aware of multiple KeyAuthority elements under the
> Extensions element using different verifyDepths?

Every applicable KeyAuthority is a distinct rule to try. They don't interact
or merge, so the depth is per-rule.

> Would verifyDepth=2 be sufficient for this example of two CAs 
> in the chain validating the EE-certificate?

Probably, I'd have to go back and look.

> Where in the logs can I observe that Shibboleth was 
> validating certificates against a certificate chain and what CLRs where
> used?

Probably nowhere with that level of detail.

> If CRLs are stored in other files than the metadata file using the
> RetrievalMethod element will Shibboleth notice an updated CRL if the
> metadata file has not been updated?

CRLs CANNOT be stored in other files. And if they could, the answer would be
no, which is why we won't. So if you want this, there's the API and you're
welcome to do it.

> One does not want to do certificates for ClientAuth validated only via CAs
> without checking for revoked ones against an up-to-date CRL, using OCSP or
> other means.

Right, so PKI is a bad idea here. Nobody will do what you're describing, so
I think we have our answer. Most of the core team was already of this
opinion, I was one of the few who still waffled a little. But I have to
concede the point now.

-- Scott