Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] lessons learned from AD FS 2.0

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] lessons learned from AD FS 2.0


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [Shib-Dev] lessons learned from AD FS 2.0
  • Date: Mon, 25 Oct 2010 18:40:17 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=qul7rQT8x1Li0t3MdNfC8jrkUArCx9bFdF280aONVK+o3kg8zP2DIQogBgN8w8BRka IhiP7yruv6TNvpMY3y8O7FBx8Xn4GwpwhxSTV7eaxPlxNYyvKpty7YkK1w2EljTU5NyX /JF+3deeQ7tYKJLKXuhvmp9pNvSouu6j+V7IM=
On Mon, Oct 25, 2010 at 11:03 AM, Scott Cantor
<>
wrote:
>
>> > 3. Every role descriptor SHOULD have at most one encryption key.
>>
>> We don't make such a restriction, and in fact (SP) entities often have
> more
>> than one encryption key during key rollover.
>
> Tom's point is that in theory that isn't needed, since both keys are
> available to the sofwtare, so you can switch the key rather than add them,
> *if* you control the use attribute and can distinguish signing vs.
> encryption.

Correct.

> This is true, but IMHO just makes the situation harder to understand, not
> simpler.

That's debatable, but the proof is in the pudding, I suppose. I'll
write up some documentation so folks can decide for themselves.

One thing seems clear, however. If every <md:KeyDescriptor> element in
metadata had an explicit 'use' attribute, it would be much easier for
everybody. So, as Ian observed, our tools need to support this (which
is probably the most important lesson I've learned from all of this).

Tom

Archive powered by MHonArc 2.6.16.

Top of Page