Shibboleth Developers

["Tom Scavo" <>]

On 6/22/06, Scott Cantor 
<>
 wrote:
> Given a requirement to encrypt, whatever the reason, how do I get the public
> key of the rceipient?

Metadata?

> One answer is obvious, stick the key or a cert in a KeyDescriptor and just
> get it.

Agreed.  SAMLProf recommends this in fact, but on a profile by profile basis.

> The question is what else could/should Shib 2.0 do, if anything, and
> if not (and I'm arguing not), what are the implications on other uses of PKI
> in the implementation?

I suppose Shib 2.0 should do what SAMLProf suggests (sections 4.1.6,
4.4.5, etc.), that is, rely on use="encryption" in metadata.  [By the
way, there's a nasty typo on line 627 of SAMLProf.]  Given everything
you've said so far, anything else should put off 'til Shib 2.1.

(Not sure why we're wasting cycles debating this in the Shib list
right now.  Doesn't this issue belong in the SSTC?)

> That particular profile couldn't have less to do with what I'm asking about
> here. That profile says stuff like "X MUST encrypt Y". That's it. I don't
> think it ought to go deeper than that. If you're thinking of adding stuff
> about reusing keys, it probably won't fly.

Sorry, you need to go back and read sections 4.1.2 and 4.2.2
carefully.  The latter, for example, gives the IdP three options to
encrypt the assertion.  Two are reuse options.  Even the SP has a
reuse option.

Tom