[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Kerberos in Shibboleth?
> Please enlighten me. What kind of interoperability problems > do you anticipate? > - Is it that every Club Shib member will make their own certs > holding arbitrary (Subject) definitions? > - Or is it concerns regarding root key distribution? I guess I was a bit strong. There can be interop, but it depends on how similar or different the decisions about trust (what/when/how) are. Right now, Club Shib is DNS-driven. Everything has a name, the name is in the cert, and we use trusted signers (Verisign, et al. almost certainly among them) to basically validate ownership of DNS names. Cert preconfig is kept pretty minimal, and release of attributes is really just driven by a kind of authenticated DNS check. I have no idea what other radically different scenarios might be put on top of the Shib architecture, which doesn't specify any degree of interoperability at the message exchange level because we're not dictating how messages are to be authenticated or encrypted. Even if we mandated use of PKI like Club Shib (and I suppose SAML) does, that doesn't define a trust model. I have some ideas for how to modularize the message layer by policy URIs that would let us plug in different trust "engines", so to speak, but until some practical experience is available, I'm focused on making this work. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC