Shibboleth Developers

[Tom Scavo <>]

On Mon, Oct 25, 2010 at 6:40 PM, Tom Scavo 
<>
 wrote:
> On Mon, Oct 25, 2010 at 11:03 AM, Scott Cantor 
> <>
>  wrote:
>>
>> Tom's point is that in theory that isn't needed, since both keys are
>> available to the sofwtare, so you can switch the key rather than add them,
>> *if* you control the use attribute and can distinguish signing vs.
>> encryption.
>
> Correct.
>
>> This is true, but IMHO just makes the situation harder to understand, not
>> simpler.
>
> That's debatable, but the proof is in the pudding, I suppose. I'll
> write up some documentation so folks can decide for themselves.

A complete (and general) enumeration of the various cases is here:

https://docs.google.com/Doc?docid=0AZzfN_vJA7cvZGhzMmQ1d3FfNDVjamJ6NHpneA&hl=en

Case 3b is what's described in the wiki (in terms of the Shib SP software):

https://spaces.internet2.edu/display/SHIB2/NativeSPMultipleCredentials

I think 3a is simpler to understand than 3b. A small wrinkle of course
is step 2.2 in Case 3a.

Tom