Shibboleth Developers

[Nate Klingenstein <>]

Diego,

What you're seeing, aside from the browser making silly caching or  
user interface decisions which it very well might, could be the  
constraint of the acceptable root issuers by the presentation of a CA  
list in the TLS handshake.  I had no idea there was the ability to  
constrain the certificate presented by a client in the message flows  
until recently, so it might be news to you too.

Regardless, I want to keep the SP as agnostic as possible with regards  
to the certificate itself.  I'm not trying to reinvent PKI with SAML  
attribute transport, which probably wouldn't need a separate profile  
since the authentication of the client by the SP doesn't even use the  
SAML assertion.  I would rather simply like to use TLS as a vector and  
checking mechanism for keys for SAML assertions.

I would also very much like to see better client TLS implementations  
in browsers, but I think that would require a separate effort perhaps  
involving a baseball bat.

Being goode,
Nate.

On 16 Feb 2008, at 17:53, Diego R. Lopez wrote:

> I have four different keypairs (along
> with their corresponding certificates) stored by my browser, and  
> sometime the
> broser asks for which key to use for a certain connection, sometimes  
> it doesn't
> and proposes one automatically (I guess I could configure the  
> browser to take the
> decision on its own). This is the kind of situation I think should  
> be addressed.