Shibboleth Developers

["Scott Cantor" <>]

> dare I say it? but profile a WS method for getting it. The current  
> profile describes how to get attributes/assertions from an endpoint.  
> A public cert is just another attribute but of the entity rather than  
> the user in a profile. Without a profile there will be no interop. A  
> profile that lets an ecrypter ask an encryptee "give me your key".  
> The public key is no big secret, it's public! So use REST. If I want  
> the description of a WS I use it's "REST" service to get it's WSDL (? 
> wsdl). Why not have a REST service to get it's public key too?

Sorry, but that doesn't help me. I can't trust somebody to tell me their own
public key, this has to be authenticated by a trusted third party.

And pulling metadata is REST, it's the same thing.

> Reuse is bad so keys shouldn't be in metadata.

Huh?

-- Scott