Moonshot ships with a tool, moonshot-webp, to securely and correctly provision credentials onto clients. The format for credential files is simple XML:
<?xml version="1.0" encoding="UTF-8"?>
<identities>
<identity>
<display-name>[i.e. John Smith from Camford University]</display-name>
<user>[i.e. johnsmith]</user>
<password>[i.e. correct-horse-battery-staple]</password>
<realm>[i.e. camford.ac.uk]</realm>
<services>[see below]</services>
<selection-rules>[see below]</selection-rules>
<trust-anchor>
<ca-cert>[base64-encoded representation of the IdP's root certificate in DER form]</ca-cert>
<subject>Foo</subject>
<subject-alt>Bar</subject-alt>
<!-- Or alternatively -->
<server-cert>[sha256 hash of the IdP's server certificate]</server-cert>
</trust-anchor>
</identity>
</identities>
Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.
The services section is used to determine which services credential will be automatically used for - each service will be contained in its own tag. For use with a trust router, it is better to use the selection-rules section instead.
<services>
<service>xmpp@jabber.project-moonshot.org</service>
<service>email@project-moonshot.org</service>
</services>
The selection-rules section is used to restrict which services the credential will be automatically used for - for use with a trust router, the service type is "trustidentity" for all services.
<selection-rules>
<rule>
<pattern>trustidentity/*</pattern>
<always-confirm>false</always-confirm>
</rule>
</selection-rules>