The APC credential uses the same standard Moonshot XML file format as normal Moonshot identities, i.e. the trust router network uses Moonshot to secure itself.Moonshot ships with a tool, moonshot-webp, to securely and correctly provision crednetials onto clients. The format is simple XML:
<?xml version="1.0" encoding="UTF-8"?> <identities> <identity> <display-name>Trust Router Credential generated at [UNIX timestampname>[i.e. John Smith from Camford University]</display-name> <user>[username at the APCi.e. johnsmith]</user> <password>[password at the APCi.e. correct-horse-battery-staple]</password> <realm>[the APC realm namei.e. @camford.ac.uk]</realm> <selection-rules> </selection-rules> <rule> <trust-anchor> <pattern>trustidentity/*</pattern> <always-confirm>false</always-confirm> </rule> </selection-rules> <server-cert>[sha256 fingerprint OR the base64 encoded representation of a root certificate in DER form used in the IdP's trust anchor]</server-cert> <trust</trust-anchor> </identity> <server-cert>[sha256 fingerprint of APC server certificate or base64 representation of root certificate in DER form]</server-cert> </trust-anchor> </identity> </identities></identities>
Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.
The rules section is used to restrict which services credential will be automatically used for - for use with a trust router, the service type is "trustidentity".
<rule> <pattern>trustidentity/*</pattern> <always-confirm>false</always-confirm> </rule>