Shibboleth Developers

["Scott Cantor" <>]

> Setting aside the totally absurd notion that someone can setup a
> shibboleth IdP or SP, yet be incapable of running a simple cron
> task, the entire methodology of client-pull of metadata from a
> federation repository is backwards.  It is the federation that
> knows when something has changed - not the clients.

I agree with your conclusion, but not your first sentence, unless by
"absurd" you mean "wow, the world is just nuts". Because that's reality.
Whether people can or can't set it up is irrelevant, what they do is what
matters.

Secondly, Windows doesn't have cron let alone cron.daily, and I have 50+
Windows SPs here. It's not at all unusual for those sysadmins to not even be
aware of the AT command.

Most every SSO system out there uses keys of some sort and most of them are
probably pretty vulnerable to key compromise windows. Nothing new. I'm just
raising the issue that clearly CRLs are a laughable answer, as you note, nor
does anybody use them, so the current use of CAs is broken just on
principle.

-- Scott