shibboleth-dev - RE: Dynamic Federation
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: Dynamic Federation
- Date: Mon, 3 Dec 2007 12:24:27 -0500
- Organization: The Ohio State University
> In what way? (I apologise if this is a daft question, I am just trying
> to understand!)
I don't think anybody is going to agree on what constitutes good design, so
it comes down to who's writing the code, but IMHO the APIs and libraries for
doing security work are simply awful. If the interface between the code and
the security layer has to accommodate a bunch fo radically different
approaches, that's very difficult to pull off and hard to make reliable.
The newer PKIX trust engine is a nightmare of code that barely works on a
good day thanks to all the bugs and quirks in its dependencies, and the
original one that had a separate trust file and had to map from metadata to
keys by reference was an order of magnitude worse. By comparison, the
explicit key engine is trivial (as far as these things go anyway).
The whole system hangs together much more cleanly if we confine
experimentation to the exchange and verification of input to the metadata
API behind a single interface, and the volume of security bugs will be much
lower.
-- Scott
- Dynamic Federation, Tom Scavo, 12/01/2007
- RE: Dynamic Federation, Scott Cantor, 12/01/2007
- <Possible follow-up(s)>
- RE: Dynamic Federation, Josh Howlett, 12/01/2007
- RE: Dynamic Federation, Scott Cantor, 12/01/2007
- Message not available
- RE: Dynamic Federation, Josh Howlett, 12/01/2007
- RE: Dynamic Federation, Scott Cantor, 12/01/2007
- Message not available
- RE: Dynamic Federation, Josh Howlett, 12/03/2007
- RE: Dynamic Federation, Scott Cantor, 12/03/2007
- Message not available
- RE: Dynamic Federation, Josh Howlett, 12/04/2007
- RE: Dynamic Federation, Scott Cantor, 12/04/2007
- Message not available
- Re: Dynamic Federation, Tom Scavo, 12/04/2007
- RE: Dynamic Federation, Josh Howlett, 12/03/2007
- RE: Dynamic Federation, Josh Howlett, 12/01/2007
Archive powered by MHonArc 2.6.16.