Shibboleth Developers

[Scott Cantor <>]

I chatted a little with Paul at the Santa Clara Liberty meeting about trust
metadata and he wasn't sure whether this work was like/unlike what we were
playing around with in Shib, but I thought we should eventually look into
it.

It is not being worked on actively in Liberty at this point, and Liberty
metadata basically takes the "stick the key in the metadata" approach.

My semi-unstated direction has been to begin to migrate our operational
metadata to the Liberty->SAML stuff, but use <KeyName> to reference a named
physical entity that owns the keying material, if necessary. Thus
maintaining some separation between the standards-based metadata and the
<Trust> schema that I built at your suggestion so that we could move toward
some other approach for that later.

For example, to maintain a CA-based validation of incoming signatures from a
site, its metadata could include a KeyName containing the subject of the
certificate it will send with the signature. The validation process would
then use the <Trust> data as now to locate appropriate CAs and check the
cert and its subject.

It's worth noting I think that we'll probably never achieve much real
interop with commercial SAML this way, since most products will no doubt
expect certs to be in the metadata. It's my intent to support that in the
code for that reason.

-- Scott