Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] comments in metadata files

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] comments in metadata files


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [Shib-Dev] comments in metadata files
  • Date: Mon, 23 Mar 2009 18:10:16 -0400
  • Organization: The Ohio State University

Ian Young wrote on 2009-03-23:
> The reason I'm even looking at comments here is that although you can
> add arbitrary attributes to an EntityDescriptor (in your own
> namespace) that's not permitted by the schema for EntitiesDescriptor
> as far as I can tell.

Probably an accident.

> Ideally, from the point of view of putting something in the file that
> people can read to help debug downloading issues, I'd want comment A
> to be preserved by the download process. This only ever seems to have
> been done by metadatatool, so I can see that might be a hard sell
> unless someone other than me sees some value there. Any takers?

I think I can probably fix that, given where this serialization happens in
the SP.

> Stepping back from the ideal, I think removing all comments from
> downloaded metadata (and element white space, which is also stripped
> in the IdP default settings in internal.xml) isn't the right default.
> This space-saving micro-optimisation must have been overshadowed by
> several (decimal) orders of magnitude by the changes Chad made in
> 2.1.2 to use better data structures. Unless I'm missing something?

Unless they're backing up the data by reserializing the DOM immediately,
there are a number of things the Java code will throw away when it goes from
DOM -> XMLObject -> DOM. It's not round-trip safe, and if they're pruning
whitespace, then apparently signatures aren't preserved either?

> [1] I can't figure out why this (apparently) doesn't break the
> signature on the file, at least according to oXygen. After all, the
> signature is done using
http://www.w3.org/2001/10/xml-exc-c14n#WithComments

I don't think it could be reverifying the signature if you're saying it's
also stripping whitespace. I'm not sure how it knows not to, since the
verifier is a Metadata Filter...perhaps filters only run if it's loaded from
the remote source and not a backup?

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page