Shibboleth Developers

[Tom Barton <>]

Scott Cantor wrote:
> I think the real benefit of a CA accrues to the SP dealing with a bunch of
> IdPs. And I don't see much there, because dealing with InCommon would be the
> same even if we weren't issuing certificates. You'd still be "registering"
> your key on some periodic basis with the federation and the metadata is just
> a big XML certificate. Where the SP wins is in handling multiple
> point-to-point relationships because there's nobody to manage the key
> renewal for them. Again, though, it's a tools issue. People want to sell
> software for this kind of thing.
>
> A PKI is one way to smooth over not having those tools yet, but of course
> its tools and user experience are lousy too. So I'll go a short way out on a
> limb and claim that the future here is tools that manage federated trust
> without using CAs in the usual sense, decomposing them into different parts
> of the traditional CA process, signing metadata, registering keys.

In the international grid space they're gathering trust anchors to 
enable broader yet qualified access to grid resources. Processes to 
securely distribute them are also in use. SAML in general and shib in 
particular currently enjoy lots of attention there as a means of 
leveraging such efforts (together with campus or service center based 
identity management) to produce a rich environment for both 
authentication and authorization. It'd be great for shib to continue to 
fit in with this, and from that perspective downgrading its ability to 
leverage substantial PKI deployments would be heading in the wrong 
direction.

Tom