RE: [security-services] Groups -sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded

[Scott Cantor <cantor.2@osu.edu>]

> So you have to get the URL out of band, and then go ask for 
> the metadata ?

It's fairly critical to identify the parties involved in a federation. So
they get identifiers. If those identifiers are URLs that point at metadata,
you have a well known URL to get metadata. That's OOB in a sense, but it's
more about the trust, as you note below. I can dynamically retrieve
metadata, but then I have to trust it.

> How do you know what metadata will be returned?

I don't. If I did, I wouldn't need to ask for it.

>How do your trust the metadata, is it signed ?

Certainly. Metadata signing is really the new trust root in this kind of
world, IMHO.

> How do I know how to talk to the metadata URL, that is how do 
> I know to use HTTP/S, WS-Security or other security protocols 
> ? How is the boot strap solved ?

Familiar with HTTP GET? It's a wonderful thing, catch the fever. If you want
to specify other protocols, I guess that's up to you. Personally...

> I don't see that this specification solves anything except 
> saying that you can use a out of band URL

Are we talking about the metadata spec or the distribution protocol? The
purpose of the protocol is to permit a provider to change their operational
details, get their metadata signed OOB, and repost the new version at an
understood (but relatively dynamic) location so a consumer can pick up those
changes on the fly.

If you don't think that's useful, we'll agree to disagree.

> This isn't rocket science, or am I missing something?

You tell me.

-- Scott