Shibboleth Developers

["Scott Cantor" <>]

> Be careful.  The spec recommends validUntil in the root element only. 
> If the EntityDescriptor is meant to be copy-and-pasted into a
> containing element (which it is, right?), it therefore should NOT have
> a validUntil attribute.

Recommendations aren't MUSTs. There is really no rational basis for taking a
bunch of unlike instances and putting them in a common group. So no, I
really don't expect they'll be pasted anywhere, but allowing for it is fine
and if they are, I would not expect to be removing the validity information
or factoring it up. Just doesn't really make sense to me.

Looking at it now, I'm not even sure what the point of the recommendation
was, I suspect it's a hold-over from ID-FF. There are perfectly good reasons
for every element setting its own policy. There'd be no point in having the
attribute at the role level otherwise, in fact. In essence, every element
has an implied validUntil of "forever" anyway, so there is no single
attribute.

The only reason I suggested Nate include it is for clarity, I just think
being explicit about it is a good idea.

-- Scott