Shibboleth Developers

[Ian Young <>]

Things have changed a little in the handling of comments in remote  
metadata files between Shibboleth 1.3 and Shibboleth 2.x.  Here's a  
quick summary based on the following schematic example:

<?xml ....?>
<!-- this is comment A -->
<EntitiesDescriptor ...>
   <!-- this is comment B -->
   ...
</EntitiesDescriptor>

When signed by metadatatool, such a file becomes:

<?xml ....?>
<!-- this is comment A -->
<EntitiesDescriptor ...>
   <ds:SignedInfo>
      ... a couple of pages of stuff ...
   </ds:SignedInfo>
   <!-- this is comment B -->
   ...
</EntitiesDescriptor>

This is the remote metadata file to be downloaded as follows:

In Shibboleth 1.3:

* the metadatatool application used by the 1.3 IdP fetches the remote  
file and writes a local copy preserving both comment A and comment B

* the siterefresh application used by the 1.3 SP fetches the remote  
file and writes a local copy omitting comment A but preserving comment B

In Shibboleth 2.x:

* The IdP's built-in metadata fetcher fetches the remote file and  
writes a local copy which by default omits both comment A and comment  
B[1]

* You can set something in internal.xml to a non-default value to make  
the IdP preserve comment B, but it still omits comment A

* The SP's built-in metadata fetcher fetches the remote file and  
writes a local copy which omits comment A but preserves comment B

This came up because we have been writing a date and time into comment  
A so that people can check whether their system has downloaded a  
recent copy of the metadata.  Turns out that has only ever worked with  
the 1.3 IdP, which is I guess what I looked at when I originally did  
this.

Moving to putting such a comment inside the EntitiesDescriptor is less  
good because the *signature* is interposed (at least by metadatatool)  
immediately after the opening tag and the interesting comment ends up  
a page or two down the resulting file.  Plus, of course, the 2.x IdP  
still throws such a comment away.

The reason I'm even looking at comments here is that although you can  
add arbitrary attributes to an EntityDescriptor (in your own  
namespace) that's not permitted by the schema for EntitiesDescriptor  
as far as I can tell.

Ideally, from the point of view of putting something in the file that  
people can read to help debug downloading issues, I'd want comment A  
to be preserved by the download process.  This only ever seems to have  
been done by metadatatool, so I can see that might be a hard sell  
unless someone other than me sees some value there.  Any takers?

Stepping back from the ideal, I think removing all comments from  
downloaded metadata (and element white space, which is also stripped  
in the IdP default settings in internal.xml) isn't the right default.   
This space-saving micro-optimisation must have been overshadowed by  
several (decimal) orders of magnitude by the changes Chad made in  
2.1.2 to use better data structures.  Unless I'm missing something?

Finally, does anyone have any other approaches they can suggest to  
putting this kind of human-readable marker somewhere close to the top  
of a metadata file such that it will make it into the downloaded  
version?

        -- Ian


[1] I can't figure out why this (apparently) doesn't break the  
signature on the file, at least according to oXygen.  After all, the  
signature is done using http://www.w3.org/2001/10/xml-exc-c14n#WithComments

Attachment: smime.p7s
Description: S/MIME cryptographic signature