Shibboleth Developers

["Scott Cantor" <>]

> So what XML elements did you mean if not RetrievalMethod?

I was talking about what XML Signature allows, not what was implemented.

> You read me wrong here. Shibboleth and PKI from what I get out of this
> discussion is working.

It works as well as any use of PKI works, I guess. I didn't say there was a
bug, I'm just saying that PKI is the wrong model unless a different approach
to metadata is used.

> Obviously you need to get up-to-date CRLs.

As Jim Fox noted, CRLs are the wrong idea for this kind of thing. We'd need
real-time, but nobody is putting up any OCSP or XKMS stuff, so I'd say we
need to start looking for other solutions here.

> And building a new metadata file with these updated CRLs is just another
> part of the script fetching the CRLs.

If I have to go get a fresh metadata file to revoke a certificate, inline
keys will work exactly as well, but are faster, simpler, and are more
understandable. Furthermore, going back to the original thread, it gives me
simple encryption support. The PKI model doesn't. Ergo, I don't think it
will work for people much longer.

-- Scott