shibboleth-dev - comments in metadata files
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To:
- Subject: comments in metadata files
- Date: Mon, 23 Mar 2009 17:18:44 +0000
Things have changed a little in the handling of comments in remote metadata files between Shibboleth 1.3 and Shibboleth 2.x. Here's a quick summary based on the following schematic example:
<?xml ....?>
<!-- this is comment A -->
<EntitiesDescriptor ...>
<!-- this is comment B -->
...
</EntitiesDescriptor>
When signed by metadatatool, such a file becomes:
<?xml ....?>
<!-- this is comment A -->
<EntitiesDescriptor ...>
<ds:SignedInfo>
... a couple of pages of stuff ...
</ds:SignedInfo>
<!-- this is comment B -->
...
</EntitiesDescriptor>
This is the remote metadata file to be downloaded as follows:
In Shibboleth 1.3:
* the metadatatool application used by the 1.3 IdP fetches the remote file and writes a local copy preserving both comment A and comment B
* the siterefresh application used by the 1.3 SP fetches the remote file and writes a local copy omitting comment A but preserving comment B
In Shibboleth 2.x:
* The IdP's built-in metadata fetcher fetches the remote file and writes a local copy which by default omits both comment A and comment B[1]
* You can set something in internal.xml to a non-default value to make the IdP preserve comment B, but it still omits comment A
* The SP's built-in metadata fetcher fetches the remote file and writes a local copy which omits comment A but preserves comment B
This came up because we have been writing a date and time into comment A so that people can check whether their system has downloaded a recent copy of the metadata. Turns out that has only ever worked with the 1.3 IdP, which is I guess what I looked at when I originally did this.
Moving to putting such a comment inside the EntitiesDescriptor is less good because the *signature* is interposed (at least by metadatatool) immediately after the opening tag and the interesting comment ends up a page or two down the resulting file. Plus, of course, the 2.x IdP still throws such a comment away.
The reason I'm even looking at comments here is that although you can add arbitrary attributes to an EntityDescriptor (in your own namespace) that's not permitted by the schema for EntitiesDescriptor as far as I can tell.
Ideally, from the point of view of putting something in the file that people can read to help debug downloading issues, I'd want comment A to be preserved by the download process. This only ever seems to have been done by metadatatool, so I can see that might be a hard sell unless someone other than me sees some value there. Any takers?
Stepping back from the ideal, I think removing all comments from downloaded metadata (and element white space, which is also stripped in the IdP default settings in internal.xml) isn't the right default. This space-saving micro-optimisation must have been overshadowed by several (decimal) orders of magnitude by the changes Chad made in 2.1.2 to use better data structures. Unless I'm missing something?
Finally, does anyone have any other approaches they can suggest to putting this kind of human-readable marker somewhere close to the top of a metadata file such that it will make it into the downloaded version?
-- Ian
[1] I can't figure out why this (apparently) doesn't break the signature on the file, at least according to oXygen. After all, the signature is done using http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- comments in metadata files, Ian Young, 03/23/2009
- RE: [Shib-Dev] comments in metadata files, Scott Cantor, 03/23/2009
- Re: [Shib-Dev] comments in metadata files, Ian Young, 03/23/2009
- RE: [Shib-Dev] comments in metadata files, Scott Cantor, 03/23/2009
- RE: [Shib-Dev] comments in metadata files, Scott Cantor, 03/23/2009
Archive powered by MHonArc 2.6.16.