shibboleth-dev - RE: Metadata Generator
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: Metadata Generator
- Date: Tue, 16 Aug 2005 09:15:36 -0400
- Organization: The Ohio State University
> Is there a particular reason why the certs are inline in the
> metadata? Why not use KeyName to resolve a separate cert?
That sort of indirection is non-standard (requires metadata extensions
defined by the Shibboleth implementation), contextual (depends on the
authorities considered acceptable in a community), and complex (people suck
at PKI, and we're pretty tired of remediating them).
All of those factors lead us to encourage people to use metadata-based
certificate exchange unless and until they're prepared to do something else.
It's much simpler to demonstrate and use on a small scale.
In the case of a tool designed to generate simple metadata reflecting a
peer-to-peer trust arrangement, it would not be appropriate to assume an
external authorities. If people want to do that, they can change the
KeyDescriptor and add a KeyAuthority extension.
-- Scott
- RE: Metadata Generator, (continued)
- RE: Metadata Generator, Scott Cantor, 08/10/2005
- Re: Metadata Generator, Tom Scavo, 08/10/2005
- Re: Metadata Generator, Jim Fox, 08/15/2005
- RE: Metadata Generator, Scott Cantor, 08/15/2005
- RE: Metadata Generator, Jim Fox, 08/15/2005
- Re: Metadata Generator, Nate Klingenstein, 08/15/2005
- Re: Metadata Generator, Jim Fox, 08/15/2005
- Re: Metadata Generator, Nate Klingenstein, 08/15/2005
- Re: Metadata Generator, Nate Klingenstein, 08/15/2005
- Re: Metadata Generator, Jim Fox, 08/15/2005
- Re: Metadata Generator, Alistair Young, 08/16/2005
- RE: Metadata Generator, Scott Cantor, 08/16/2005
- RE: Metadata Generator, Scott Cantor, 08/15/2005
- Re: Metadata Generator, Nathan Dors, 08/15/2005
Archive powered by MHonArc 2.6.16.