Shibboleth Developers

["Diego R. Lopez" <>]

Hi,

On 15 Feb 2008, at 03:18, Nate Klingenstein wrote:
> As there has been some discussion about client TLS authentication to  
> IdP's on this list, along with a bunch of sharp resident federated  
> thinkers, I wanted to run the draft by you for any feedback or ideas  
> before I take it to the SSTC for further work.  All ideas or  
> complaints, no matter how nebulous, are useful.


I see it as a pretty interesting step towards a better integration  
with our
Grid communities, as well as a source of interesting ideas for the  
profiles on
automated network clients we are working with in eduGAIN.

And two questions from down here:

+ I have not seen in the profile a specific request for the user to  
employ the same
  certificate when identifying to the IdP and when connecting to the  
SP. This
  shall be made explicit as a MUST in the profile, I think, leaving  
the methods for
  that (from warning the user to force a specific CA in the TLS  
negotiation) open.

+ Don't you think that the use of Short-Lived Certificate Services  
(see the SLCS
  developed in EGEE-II: http://www.terena.org/activities/nrens-n-grids/workshop-06/slides/witzig-switch-slcs-vash.pdf) 
 shall be discussed as a mitigation of the
  cert being a persistent ID?

Be goode,


--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez

Red.es - RedIRIS
The Spanish NREN

e-mail: 

jid:    

Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------