Shibboleth Developers

[Keith Hazelton <>]

Inline comment:

Scott Cantor wrote:

Is the obvious answer, to store the peer's certificate in the
metadata, somehow not feasible?
    

It's not only feasible, it's to my best guess the only thing that most of
the products probably support (although they really import the metadata into
local store, and allow you to manipulate the peer's cert(s) in that form
also).

That's not my question.

It's what else, if anything, are people expecting? And if the answer's
nothing, then I'm simply pointing out that all the current (slight) benefits
of key indirection on the signing side are lost, so it's likely that the
long term implication is we end up encouraging federations to dump the CA
approach.
  

As I said in an earlier message, if that's the way it eventually plays out, so be it.   We don't have to have that fight now nor declare winners and losers before settling on an answer to Scott's question (in the words he used in a recent post):  "Given a requirement to encrypt, whatever the reason, how do I get the public key of the rceipient?"  The answer on the table is:  Put it in metadata with perhaps a complementary KeyResolver API.    --Keith

I'm just highlighting the bigger picture. We could have just gone off and
done it as we build, but the whole point of the list I assume is so people
can see what's happening more transparently and raise their hands when they
object.

-- Scott

  

-- 
________________________________________________________
Keith Hazelton                  Senior IT Architect, UW-Madison
(608) 262-0771                  Division of Info. Technology
(608) 205-2022 (home)           1210 W. Dayton St., rm. 2118A
http://arch.doit.wisc.edu/keith      Madison, WI  53706