Shibboleth Developers

[Chad La Joie <>]

Please note, this change supersedes the change notification issued on 
the Shibboleth user's list on August 17th, 2006.  Additional 
investigation into the implications of the previous decision has
led to an alteration in our conclusions.

** The Change
All KeyDescriptor elements with their "use" attribute's value explicitly 
set to "signing" will only be used to verify digitally signed SAML 
documents and TLS/SSL authentication credentials.  KeyDescriptors with 
their "use" attribute's value explicitly set to "encryption" will only 
be used in the wrapping of encryption keys.  KeyDescriptors without a 
"use" attribute may be used for any of these purposes.  In the event 
that there are KeyDescriptors with both an explicit use attribute and 
without a use attribute, preference will be given to the descriptor with 
the explicit use attribute.

** Timeline
This change should not require any change to current metadata. 
Encryption support, and thus the usage of encryption key descriptors, 
will appear in Shibboleth 2.0.

** Justification
The SAML 2.0 Metadata specification designates the KeyDescriptor's "use" 
attribute as optional but with a restricted value set of ("encryption", 
"signing").  It is believed that many of communities will use the same 
credential for both TLS/signing and encryption operations. This change 
allows them to specify the key descriptor, for that credential, a single 
time which in turn allows for smaller metadata files that are less prone 
to administration errors.  Some communities advocate the creation of two 
separate credentials, one for TLS (and signing) operations and one for 
encryption, so that they may govern each credentials under different 
policies.  This interpretation of the specification does not
preclude that.
--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124