Moonshot ships with a tool, moonshot-webp, to securely and correctly provision crednetials onto clients. The format is simple XML:

<?xml version="1.0" encoding="UTF-8"?>
<identities>
  <identity>
    <display-name>[i.e. John Smith from Camford University]</display-name>
    <user>[i.e. johnsmith]</user>
    <password>[i.e. correct-horse-battery-staple]</password>
    <realm>[i.e. @camford.ac.uk]</realm>
    <selection-rules>
    </selection-rules>
    <trust-anchor>
      <server-cert>[sha256 fingerprint OR the base64 encoded representation of a root certificate in DER form used in the IdP's trust anchor]</server-cert>
    </trust-anchor>
  </identity>
</identities>

Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.

The rules section is used to restrict which services credential will be automatically used for - for use with a trust router, the service type is "trustidentity".

       <rule>
        <pattern>trustidentity/*</pattern>
        <always-confirm>false</always-confirm>
      </rule>