Skip to Content.
Sympa Menu

shibboleth-dev - Re: Encryption key strategies

Subject: Shibboleth Developers

List archive

Re: Encryption key strategies


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: Re: Encryption key strategies
  • Date: Thu, 29 Jun 2006 22:20:22 +0100

Jim Fox wrote:

Setting aside the totally absurd notion that someone can setup a
shibboleth IdP or SP, yet be incapable of running a simple cron
task,

Just to clear up any possible misunderstanding, the "absurd notion" you're lampooning doesn't represent my view.

I'm very much not claiming that people *can't* set up refresh. I'm observing that at least in my part of the forest they nevertheless *don't* all set up refresh, or set up refresh systems which later flame out and don't get restarted (I can't distinguish these from where I'm sitting without a lot more analysis of the data).

My speculation is that if it were possible to integrate the refresh process so that people didn't need to do something extra to have it work, fewer people would end up with stale metadata.

Having cleared that up,

the entire methodology of client-pull of metadata from a
federation repository is backwards

[...]

or you allow the federation to push new metadata to its members

I agree this would be far preferable, and I'd love to discuss some kind of push protocol that might make this problem go away entirely. I suspect it's a harder approach than it appears at first glance, or there would be more push protocols in use in the world. As it is, what with DNS, OCSP, RSS and everyone's favourite OS's security patch distribution systems, pull protocols are pretty dominant.

I'm not going to rule out trying to improve the existing system in the meantime.

-- Ian



Archive powered by MHonArc 2.6.16.

Top of Page