Shibboleth Developers

[Jim Fox <>]

> > My inclination is to drop the public key - hash and all.
> > If the PPID is important to the service, then the service
> > can protect it.
>
> How? The key is the only protection. The service can't protect it in any
> other way.
>
> My goal was to provide the key in a simple format and leave it at that. I
> still think that's possible, but it will require some openssl functions to
> pull off. It's not hard, but I don't object to avoiding linkage to openssl
> either.

My thinking is that the PPID has the security of a big random number,
which cannot be guessed.   It can only be compromised if the application
gives it away.  It can be protected by keeping it secret.

How about a base64 of an sha1 of the modulus?  That's a mathematical 
thing.  All languages ought to do it about the same.

Jim