Moonshot ships with a tool, moonshot-webp, to securely and correctly provision credentials onto clients. The format for credential files is simple XML:
<?xml version="1.0" encoding="UTF-8"?>
<display-name>[i.e. John Smith from Camford University]</display-name>
<services>[optional, see below]</services>
<selection-rules>[optional, see below]</selection-rules>
<ca-cert>[base64-encoded representation of the IdP's root certificate in DER form]</ca-cert>
<!-- Or alternatively -->
<server-cert>[sha256 hash of the APC/IdP's server certificate]</server-cert>
Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.
services section is used to determine which services credential will be automatically used for - each service will be contained in its own tag. For use with a trust router, it is better to use the
selection-rules section instead.
selection-rules section is used to restrict which services the credential will be automatically used for - for use with a trust router identity, the service type is "trustidentity" for all services.