Shibboleth Developers

> The error you're getting about "Illegal key size or default parameters"
> is because it looks like you have not installed the Java JCE unlimited
> strength jurisdiction policy files (I know Chad and I always do by
> default, so we weren't seeing this...).

Changing the default sounds like a good idea. I'll pull the new 
version, and try again.

Should we doc how to obtain these other policy files?

> This observation and advice are correct, but I think your logs don't jib
> with the metadata you have shown there.  Methinks you must have slightly
> different metadata for the SP that is getting used by the IdP, that does
> have a key descriptor usable for encryption to the SP.  Your log clearly
> shows an encryption key being resolved.

I'm sorry -- I forgot to copy over the latest metadata file. Yes, 
you're right -- Chad had previously suggested making that change. I'm 
sorry about having wasted some of  your time.

> >  However, it also uncovers another issue that the IdP isn't checking that
> >  an encryption key for the SP was resolved before it goes and tries to
> >  encrypt the assertions.   I'll look at fixing that tomorrow, unless Chad
> >  beats me to it.
> >  
>
> This is technically still true, but it does catch the exception that
> gets thrown due to a null KEK credential parameter.  Question is:  what
> should we do if the IdP config indicates to do encryption, but the
> recipient doesn't have an encryption key published?    Should that be a
> fatal error, or should the IdP just log it and proceed without doing the
> encryption? The latter seems more correct to me, especially since we
> typically will just have a single default security policy for all
> relying parties.  I seem to remember us discussing that at some point.

That sounds sensible to me.