shibboleth-dev - Re: query profile support in Shib 2
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Subject: Re: query profile support in Shib 2
- Date: Mon, 31 Jul 2006 14:03:34 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YhcV+rdfAeHLepEKP6aFmG3/csE9/rTB9IETOMsk3Mh/U3xQCaBF3bKvR3Id1JGNjDwfq78V1a79uBQQ7sri6w5AqXiyXr3RJHDrqShsvbqofqMq4UQDZwynV7iCaYA/iOnoPZ4QNB78NoMGmhgtm0XmD18n5j6DZBVkAptoN24=
On 7/30/06, Scott Cantor
<>
wrote:
> > No, that part is meaningless but transparent to SAML. I mean the X.509
> > authentication part.
>
> That's not part of the Attribute Sharing Profile, so I still don't
> understand your concern.
Last time I read it, the X.509 profile had steps in it related to browser
authentication using a certificate.
No, not in any version I'm familiar with (and I think I've read them all).
If GridShib is working today, then it must be reusing Shib-profiled 1.x
queries, so I don't see why there's a problem or a need for anything new
there.
GridShib relies on separate metadata files, so the problem didn't
occur to me until recently. Once I added metadata requirements to the
Attribute Sharing Profile (to distinguish the two subcases in that
profile), I realized there was a problem.
If it wants to use 2.0 queries, I think it ought to use standard 2.0
queries for that, and that doesn't collide, so no problem.
GridShib relies on the emerging Attribute Sharing Profile for X.509
Authentication-based Systems, not plain vanilla 2.0 queries.
But I caution you that you can't use metadata as a substitute for a general
security policy language. It will never reflect all the signing, encryption,
algorithm, authentication, etc. options that exist in the world and it was
never meant to. And even if it did, real-world interop ends at ds:KeyInfo
anyway, so it's just illusion.
I understand that, I'm just pointing out limitations in the use of
metadata. If every AttributeService endpoint were identified by a URI
in metadata, there wouldn't be a problem. Since that would break
backward compatibility, I realize it's not possible, so I'm simply
observing that a workaround is to have separate metadata files for the
various profiles. At least two metadata files are needed, one for the
SAML profiles (which are not identified by a URI in metadata) and
another one for all the rest (assuming everything from here on out is
identified by a URI in metadata).
Tom
- query profile support in Shib 2, Tom Scavo, 07/29/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/29/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/30/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/30/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/30/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/30/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/31/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/31/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/31/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/31/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/31/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/31/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/31/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/30/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/30/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/30/2006
- Re: query profile support in Shib 2, Tom Scavo, 07/30/2006
- RE: query profile support in Shib 2, Scott Cantor, 07/29/2006
Archive powered by MHonArc 2.6.16.