Shibboleth Developers

["Scott Cantor" <>]

> Because as you said, the IdP and SP share metadata with each 
> other, so why wouldn't the IdP's metadata be in one file and 
> the SP's metadata be in another.  It reinforces the idea that 
> metadata files are swapped and that an entity need not 
> consume its own metadata.

Alright. Needless to say, all of this is post-beta. I can't screw with
things this much right now.

> No, but your inline comment says a single descriptor can be 
> used for both yet it's not clear how to do that.

You don't have to do anything, it just is. I thought that's what it said.

> Moreover, is it required to duplicate in metadata the KeyInfo that is 
> already in the signature itself?  I assume it is but that too 
> had me spinning my wheels for a long time.

A KeyInfo in a signature is self-asserted. It's worthless unless you have a
trust anchor to compare it with. Including it is just common practice in the
PKI world, but it's mostly worthless.

-- Scott