shibboleth-dev - Re: Follow-up to design call re: path length
Subject: Shibboleth Developers
List archive
- From: Walter Hoehn <>
- To: "'Howard Gilbert'" <>
- Cc: Shibboleth Developers <>
- Subject: Re: Follow-up to design call re: path length
- Date: Wed, 2 Mar 2005 10:26:21 -0600
For clarification, the question of whether or not the "signing end" will allow one to use multiple keys for different roles within a single entity seems different from the question of how the "verifying end" validates the signatures relative to those roles. The "verifying end" certainly needs to honor the metadata, while the "signing end" configuration might only allow what is deemed to be rational. For example, the IdP might require that, for a given entity, the same key be used for signing attribute query responses and authN responses.
-Walter
On Mar 2, 2005, at 9:22 AM, Scott Cantor wrote:
It makes sense for a lot of people to issue a single Certificate/Key to
the IdP and use it for both the SSO and AA functions. It is somewhat
scholastic to require that two statements in the same Reply be signed by
different certificates because they were issued from different roles.
We don't require that.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/02/2005
- Re: Follow-up to design call re: path length, Walter Hoehn, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/02/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Howard Gilbert, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- <Possible follow-up(s)>
- Re: Follow-up to design call re: path length, Jim Fox, 03/01/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
- RE: Follow-up to design call re: path length, Jim Fox, 03/01/2005
- Re: Follow-up to design call re: path length, RL 'Bob' Morgan, 03/01/2005
- Re: Follow-up to design call re: path length, Jim Fox, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/02/2005
- Re: Follow-up to design call re: path length, Tom Barton, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/02/2005
- Re: Follow-up to design call re: path length, Walter Hoehn, 03/02/2005
- Re: Follow-up to design call re: path length, RL 'Bob' Morgan, 03/02/2005
- Re: Follow-up to design call re: path length, Jim Fox, 03/02/2005
- RE: Follow-up to design call re: path length, Scott Cantor, 03/01/2005
Archive powered by MHonArc 2.6.16.