Skip to Content.
Sympa Menu

shibboleth-dev - Re: Comments on the new configuration

Subject: Shibboleth Developers

List archive

Re: Comments on the new configuration


Chronological Thread 
  • From: Tom Scavo <>
  • To: Scott Cantor <>
  • Cc: Howard Gilbert <>,
  • Subject: Re: Comments on the new configuration
  • Date: Mon, 23 May 2005 18:33:48 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bRRkEGr6zu3gcD3QEh1b3r9126slWGuJNTBa5F/qoaqMfIu1hKBsJbq6MX1NYXwbniRB1BHhqA7T0jchgSs8Wycu0pT95eswlzxeon7wHulAENRvFPzEmJI4r4V5b3uJpsZvspy5+feq4lazvgdNblc5Si/ol5g6ovTlBQtsXlE=
On 5/23/05, Scott Cantor
<>
wrote:
> > Yes, which seems to suggest separate metadata files for the IdP and SP.
>
> Why?

Because as you said, the IdP and SP share metadata with each other, so
why wouldn't the IdP's metadata be in one file and the SP's metadata
be in another. It reinforces the idea that metadata files are swapped
and that an entity need not consume its own metadata.

> >>One or more KeyDescriptors tell SPs how the IdP will authenticate itself.
> >>A
> >>single descriptor can be used for both signing and for server-TLS.
> >
> > That may be true, but it's not clear by looking at the metadata
> > examples (or even reading the metadata spec) how to write such a
> > KeyDescriptor. Indeed, it doesn't seem like the 'use' attribute is
> > all that 'use'ful.
>
> It's not, but then I never claimed it was.

No, but your inline comment says a single descriptor can be used for
both yet it's not clear how to do that. Moreover, is it required to
duplicate in metadata the KeyInfo that is already in the signature
itself? I assume it is but that too had me spinning my wheels for a
long time.

Thanks,
Tom

Archive powered by MHonArc 2.6.16.

Top of Page