Shibboleth Developers

["Scott Cantor" <>]

> Is the obvious answer, to store the peer's certificate in the
> metadata, somehow not feasible?

It's not only feasible, it's to my best guess the only thing that most of
the products probably support (although they really import the metadata into
local store, and allow you to manipulate the peer's cert(s) in that form
also).

That's not my question.

It's what else, if anything, are people expecting? And if the answer's
nothing, then I'm simply pointing out that all the current (slight) benefits
of key indirection on the signing side are lost, so it's likely that the
long term implication is we end up encouraging federations to dump the CA
approach.

I'm just highlighting the bigger picture. We could have just gone off and
done it as we build, but the whole point of the list I assume is so people
can see what's happening more transparently and raise their hands when they
object.

-- Scott