shibboleth-dev - Re: Dynamic metadata, API thoughts
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Dynamic metadata, API thoughts
- Date: Wed, 28 Jun 2006 06:51:07 -0400
On Jun 28, 2006, at 6:12 AM, Ian Young wrote:
Per my comment in another thread, if we're talking about dynamically fetching individual entity metadata documents from the URL that is the entity's ID, we're probably mainly thinking about scalability. And, most people aren't currently seeing scary scalability issues in their future just yet, so maybe they don't see this as worth worrying about just now. I do see scary scalability issues in my future, though.
As to viability at a technical level, my biggest question is that I can't see how to combine the fetch-from-the-ID approach with an entity retaining its entity ID in multiple federations. One issue is the signing question: the signature profile used in SAML metadata doesn't allow for multiple signatures on the same metadata, so how does the location being queried for metadata know which signed metadata to return? Query parameters? Client TLS authentication? I don't think we know. Unless we declare this a non-problem (and return to entities having different IDs in different federations) we'd need to profile something and obviously the contextual information you need to pass across for this operation would need to be available through the resolver API.
There is nothing that says the signature needs to be with a key specific to a federation. I think if we went to this model, and I know where you're coming from when you worry about scalability, you have some big entity in the sky that everyone trusts sign your data. All you're really after from that signature is the assurance it provides that the keying info and metadata binding is good. A Verisign like entity could provide that functionality.
I hate to even suggest, because the topic is an absolute quagmire, but if we really insisted on having a federation sign the metadata, federations could investigate cross-signing and bridging PKI. I think such a solution would be a monumental kludge prone to huge heartache, but you might be able to get it to work..... maybe.
- Dynamic metadata, API thoughts, Scott Cantor, 06/21/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Chad La Joie, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- RE: Dynamic metadata, API thoughts, Scott Cantor, 06/29/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Thomas Lenggenhager, 06/28/2006
- RE: Dynamic metadata, API thoughts, Scott Cantor, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Walter Hoehn, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Walter Hoehn, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Chad La Joie, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
Archive powered by MHonArc 2.6.16.