xmldap.org is down

[Axel Nennker]

Hi,

I am sorry to tell you that xmldap.org RP and STS are currently down.
Nulli Secundus was so kind to host our service (Big thank you) as long
as Pamela was their employee but now that Pam has started her own
company the server was reused before Chuck and I could find an
alternative.
Pam gave me some up-front information before she published her step.
Thanks for that too.

Sorry. I hope to find a solution soon.

Axel

[John Bradley]

What do you need.  I have a virtual server running IIS at test-id.org.   

Perhaps we could put it there,  I suspect a linux box would work better for you though.

John B.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "User-Centric Identity Interop" group.
To post to this group, send email to user-centric-i...@googlegroups.com
To unsubscribe from this group, send email to user-centric-identit...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/user-centric-identity-interop?hl=en
-~----------~----~----~----~------~----~------~--~---

[Axel.N...@telekom.de]

xmldap.org is java based and needs a servlet container like tomcat, jboss, or...

I am quite sure that IIS does not understand JSPs.

I would like to avoid IIS.

 

Linux with java and tomcat is much easier and probably better.

 

Thanks for the offer.

-Axel

---

Von: user-centric-i...@googlegroups.com [mailto:user-centric-i...@googlegroups.com] Im Auftrag von John Bradley
Gesendet: Montag, 6. April 2009 23:23
An: user-centric-i...@googlegroups.com
Betreff: [Interop] Re: xmldap.org is down

[Chuck Mortimore]

I just bit the bullet and purchased some hosting.     We should be back up soon.

- cmort

[John Bradley]

Thats what I suspected.  Sorry I cant be of more help.

John B.

[Ashish Jain]

I was gonna suggest to give http://www.stax.net/ a try. From what I know, it's free and allows to host Java apps.
Or wait for a few weeks - http://www.techcrunch.com/2009/03/26/get-ready-for-java-on-appengine/
- Ashish

[Chuck Mortimore]

I purchased month to month, so we can always switch.     Java App Engine will be nice....doubt it will work for our app....but nice....

- cmort

[Axel.N...@telekom.de]

can I help to install, configure, ... the server?

-Axel

---

Von: user-centric-i...@googlegroups.com [mailto:user-centric-i...@googlegroups.com] Im Auftrag von Chuck Mortimore
Gesendet: Montag, 6. April 2009 23:43

An: user-centric-i...@googlegroups.com
Betreff: [Interop] Re: xmldap.org is down

[Chuck Mortimore]

Still getting the host provisioned....should have tomcat manager up and running in a day or two.

- cmort

[Mike Jones]

I see that xmldap.org is back up but there’s no http://www.xmldap.org/relyingparty page.  There’s a few OSIS and IMI-related tests that xmldap was the ideal site to perform with.  Given that the OSIS in-person interop is on Sunday, any chance of getting it back up by then?

 

                                                                Hopefully,

                                                                -- Mike

[Gmail]

Yes - just finalizing provisioning with the new host.  

- cmort

[Chuck Mortimore]

Actually - that brings up a question - it's been so long since I've done the provisioning on this, I forget...does the keypair used for SSL on my endpoint have to match the keypair used to sign my infocards?   In other words, do I have to use the same private key for SSL as I do for card issuance, of can they differ.

Sorry - it's been a couple years since I've had to worry about that, and in too much a hurry today today to go look it up.

thanks

- cmort

[Mike Jones]

They must match.

[Axel.N...@telekom.de]

Yes, it seems that they must match. This is one point I really don't like about the CardSpace implementation.

 

Informationcard-Signing-Cert == SSL-token-issuer-cert

 

I wish we would change this in ISIP. Actually I don't know where this is written, but CardSpace insists on it.

 

-Axel

---

Von: Mike Jones [mailto:Michae...@microsoft.com]
Gesendet: Donnerstag, 16. April 2009 18:55
An: user-centric-i...@googlegroups.com
Cc: Nennker, Axel
Betreff: RE: [Interop] Re: xmldap.org is down

[Mike Jones]

More precisely, they must match for managed backed by self-issued cards.  The reason is that the IssuerID is computed from the cert in the .crd file and is then used to match the correct self-issued card, for which a security token is created to send to the IdP endpoint in the RST.  If the OLSC values and EV status of the issuer and STS certs don’t match, the selector won’t be able to locate the correct self-issued card to use to generate the token to send to the STS in the RST.

 

For other managed card types, the issuer cert and STS cert could be different.

 

                                                                -- Mike

[John Bradley]

Thanks Mike that is what I thought.  

So the issue is the generation of the "Client Pseudonym" for the card.

So if it is a EV or Class 2 cert the appropriate fields from the DN need to match between the certs not the public key itself.

Again changing those fields in the the STS cert after the card is issued will have interesting consequences depending on the selector.

I am guessing that is why CardSpace is caching the "Client Pseudonym"  though the PPID for the p-card when it is sent will be wrong if the p-card is based on the new cert anyway.

I have some tests in mind on this but they have to wait until I am done with the openID stuff for this interop.

John B.