Shibboleth Developers

[Peter Williams <>]

See 2003: http://lists.oasis-open.org/archives/wss/200306/msg00096.html

Try to ensure shib stays with the intended semantics of the SKI. It is not a 
mere implementation types : the various identifiers were defined to ensure 
that particular control objectives are (or at least can be) satisfied. 
Obviously, whether security profiles of the ASN.1 types actually satisfy the 
associated control objectives depends on the skill of the profiling team.

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Saturday, August 09, 2008 12:01 PM
To: 'Tom Scavo'
Cc: 

Subject: RE: [Shib-Dev] how to deliver personal infocard keyinfo to app?

> The docs you quoted referred to an *input* format, presumably to
> construct a certificate.

No, I was just pasting from the manpage of the openssl rsa command. Inform
and outform are the same options and formats. Nothing to do with
certificates at all.

> I thought you and Jim were discussing a
> format to pass from the SP to the application, in which case I don't
> see how constructing a certificate applies (which I think Jim said, in
> so many words).  So I'm confused, and I'll shut up until I understand
> the context better :-)

We are discussing that, but my feeling has been that a mechanism that
communicates the actual key is better than a hash if it's possible to do so.
In this case it may be more work than it's worth, so using some kind of SKI
approach might be the best middle ground (a semi-standard sort of hash).

-- Scott