Shibboleth Developers

[Ian Young <>]

Jim Fox wrote:

> Setting aside the totally absurd notion that someone can setup a
> shibboleth IdP or SP, yet be incapable of running a simple cron
> task,

Just to clear up any possible misunderstanding, the "absurd notion" 
you're lampooning doesn't represent my view.

I'm very much not claiming that people *can't* set up refresh.  I'm 
observing that at least in my part of the forest they nevertheless 
*don't* all set up refresh, or set up refresh systems which later flame 
out and don't get restarted (I can't distinguish these from where I'm 
sitting without a lot more analysis of the data).

My speculation is that if it were possible to integrate the refresh 
process so that people didn't need to do something extra to have it 
work, fewer people would end up with stale metadata.

Having cleared that up,

> the entire methodology of client-pull of metadata from a
> federation repository is backwards

[...]

> or you allow the federation to push new metadata to its members

I agree this would be far preferable, and I'd love to discuss some kind 
of push protocol that might make this problem go away entirely.  I 
suspect it's a harder approach than it appears at first glance, or there 
would be more push protocols in use in the world.  As it is, what with 
DNS, OCSP, RSS and everyone's favourite OS's security patch distribution 
systems, pull protocols are pretty dominant.

I'm not going to rule out trying to improve the existing system in the 
meantime.

        -- Ian