Shibboleth Developers

["Scott Cantor" <>]

> (Not sure why we're wasting cycles debating this in the Shib list
> right now.  Doesn't this issue belong in the SSTC?)

If you think you're wasting time, don't answer. As for myself, I don't see
what obtaining keys has to do with the SAML spec. It's always been out of
scope other than "you MAY use metadata" in 2.0.

> Sorry, you need to go back and read sections 4.1.2 and 4.2.2
> carefully. The latter, for example, gives the IdP three options to
> encrypt the assertion.  Two are reuse options.  Even the SP has a
> reuse option.

You're right, I think that encryption text is certainly new territory. It
rings a bell now. The difference here though is that in this profile, it's
query/response. One exchange is captured. Reuse is somewhat understandable
there. But again THIS WAS NOT MY QUESTION.

In SSO plus Single Logout plus NameIDMgmt, etc. there's no way to make it
that clean. So it's a different issue. And again NOT MY QUESTION.

I was asking (quite unsuccessfully apart from Keith) one basic
question...what's the first domino? Aside from metadata, how else should
Shib 2.0 obtain public encryption keys? The consensus apparently is
"nowhere", so asked and answered.

-- Scott