Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Wed, 2 Mar 2005, Walter Hoehn wrote:

> Whether or not we include support for trust rooting, I had sort of 
> assumed that when an end-entity certificate was included directly in the 
> metadata entry for a system entity it would be treated as "just a key". 
> So, from the standpoint of the shibboleth, the renewal wouldn't be 
> required.  Likewise, a new certificate that shared a public key with its 
> predecessor wouldn't require a metadata update.

Quite so.  What is being proposed here as entirely adequate is exactly the 
key management approach taken in normal use of ssh, that is, keys are 
accepted once via a mysterious unsecured-but-probably-OK process, then 
never changed.  You can make a good case that ssh deployment has succeeded 
because it has been able to rely on this pretty-good method rather than 
requiring better-but-harder-to-use security (ie, CA-based PKI) from the 
beginning.  But the corollary is that despite very widespread ssh 
deployment there are, to my knowledge, no tools (the ones Scott's hoping 
for with Shib) for making ssh key management scalable.  So in practice, it 
doesn't scale, and as use scales up its security goes from pretty good to 
rather questionable.  This meets many people's needs, and would for Shib 
too, but I really wouldn't like to lock Shib into a keys-never-change 
world, especially since we're not in that world now.

 - RL "Bob"