[shibboleth-sp2] 89/100: Changing defaults/examples to avoid use of DN.
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:29:20 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 1.2.1
in repository shibboleth-sp2.
commit 9792f100ec190a730e0d5940c806172fe18788dc
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Thu Oct 28 02:36:27 2004 +0000
Changing defaults/examples to avoid use of DN.
---
configs/IQ-sites.xml | 4 ++--
configs/IQ-trust.xml | 22 ++++++++++------------
configs/shibboleth.xml.in | 4 ++--
3 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/configs/IQ-sites.xml b/configs/IQ-sites.xml
index 64cfa2a..083a913 100644
--- a/configs/IQ-sites.xml
+++ b/configs/IQ-sites.xml
@@ -26,7 +26,7 @@
<Alias>Example State University</Alias>
<Contact Type="technical" Name="InQueue Support" Email="inqueue-support at internet2.edu"/>
<AssertionConsumerServiceURL Location="https://wayf.internet2.edu/Shibboleth.shire"/>
- <AttributeRequester Name="CN=wayf.internet2.edu, OU=TSG, O=University Corporation for Advanced Internet Development, L=Ann Arbor, ST=Michigan, C=US"/>
+ <AttributeRequester Name="wayf.internet2.edu"/>
</DestinationSite>
<DestinationSite Name="urn:mace:inqueue:shibdev.edu">
@@ -34,6 +34,6 @@
<Contact Type="technical" Name="Scott Cantor" Email="cantor.2 at osu.edu"/>
<AssertionConsumerServiceURL Location="http://shib2.internet2.edu/Shibboleth.shire"/>
<AssertionConsumerServiceURL Location="https://shib2.internet2.edu/Shibboleth.shire"/>
- <AttributeRequester Name="Email=root at shib2.internet2.edu, CN=shib2.internet2.edu, O=UCAID, L=Ann Arbor, ST=Michigan, C=US"/>
+ <AttributeRequester Name="shib2.internet2.edu"/>
</DestinationSite>
</SiteGroup>
diff --git a/configs/IQ-trust.xml b/configs/IQ-trust.xml
index 0238539..6185271 100644
--- a/configs/IQ-trust.xml
+++ b/configs/IQ-trust.xml
@@ -10,13 +10,12 @@
To bind a key to an entity directly, the key must be specified within the
<ds:KeyInfo> as either a <ds:KeyValue> (a bare key) or a <ds:X509Certificate>
within <ds:X509Data>. One or more "names" can be associated with the key
- using <ds:KeyName> or <ds:X509Subject> in <ds:X509Data>. In both cases, use
- of a full distinguished name in LDAP/RFC2253 format is suggested (reverse
- order of RDNs from X.500, separated by a comma and a space). This syntax
- is mandatory when using <ds:X509Subject>. It is permissible in <ds:KeyName>
- to just specify the entity's common name (CN) or a DNS subjectAltName, as
- typically done when evaluating TLS certificates, but we suggest using the
- complete DN to simplify matching.
+ using <ds:KeyName> or <ds:X509Subject> in <ds:X509Data>. It is suggested in
+ <ds:KeyName> to just specify the entity's common name (CN) or a DNS subjectAltName,
+ as typically done when evaluating TLS certificates. For specialized cases, we
+ support use of a full distinguished name in LDAP/RFC2253 format (reverse
+ order of RDNs from X.500, separated by a comma). This syntax is mandatory
+ when using <ds:X509Subject>.
To output the subject of a certificate in this form, use the following
OpenSSL command:
@@ -30,14 +29,14 @@
Here is an example that binds a key directly to a host using a certificate.
Note that trust metadata does not define what this host is or what role it
- performs. This is typically handled by referencing the corresponding name
+ performs. This is typically handled by referencing the corresponding key name
in operational metadata. Also note that no validation of a certificate
specified in this form will be done, the key is merely extracted. To
revoke or expire the key binding, the entry must be removed.
-->
<ds:KeyInfo>
- <ds:KeyName>CN=localhost, O=Shibboleth Project, C=US</ds:KeyName>
+ <ds:KeyName>localhost</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
@@ -76,8 +75,7 @@ o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
the names of entities or groups of entities (such as federations) to which
the succeeding CA information applies. The name should be specified either
as a URI (for entities such as SAML identity and service providers and
- federations) or an LDAP DN for system-level entities. Shorthand common names
- can also be used but are best avoided.
+ federations) or a CN for system-level entities.
These names are followed by an arbitrary sequence of <ds:KeyInfo> elements
which are interpreted specifically for this context. All the embedded
@@ -119,7 +117,7 @@ o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
-->
<KeyAuthority VerifyDepth="0">
- <ds:KeyName>CN=localhost, O=Shibboleth Project, C=US</ds:KeyName>
+ <ds:KeyName>localhost</ds:KeyName>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
diff --git a/configs/shibboleth.xml.in b/configs/shibboleth.xml.in
index e463948..5011777 100644
--- a/configs/shibboleth.xml.in
+++ b/configs/shibboleth.xml.in
@@ -145,8 +145,8 @@
<OriginSite Name="https://example.org/shibboleth/origin">
<Alias>Localhost Test Deployment</Alias>
<Contact Type="technical" Name="Your Name Here" Email="root at localhost"/>
- <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
- <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ <HandleService Location="https://localhost/shibboleth/HS" Name="localhost"/>
+ <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="localhost"/>
<Domain>localhost</Domain>
</OriginSite>
</SiteGroup>
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list