[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Best practice for utilising signed metadata
There are not really what I would call best practices in this area, but some deployments are more experienced than others. Shibboleth has been using batches of metadata signed by a third party since the use of SAML 1.1 in its original releases, and has experimented with both direct exchange of keys and PKIX extensions to handle authentication of the federation members, all metadata-driven. > What benefits are gained by exchanging signed metadata. Is the main > purpose of signed metadata for publication by a uncontrolled mechanism i.e. > published on the internet Not in my opinion. A major benefit is to offload vetting and key exchange to a third party and replace the old notion of a CA with the more flexible notion of a federation signing authority. > What level of support is available from SAML implementations for > signed metadata.? I can only speak for my own. It's entirely driven by metadata and signing it's the entire basis for the security of the implementation. To the extent that any legal signed metadata instance is rejected by any implementation that claims to support metadata, it's a bug in any case. But whether other implementations support any specific models for use of signed metadata to provision trust is a matter for, I would say, developing profiles to facilitate useful compliance. > Is the manual correction of metadata after generation an acceptable > practice? Sure, but not if you expect the original signature to hold. I think you're asking whether a particular product would accept it. That's impossible to say. It would depend on the product, the mode of operation, and what you were intending the metadata to accomplish. > If metadata is exchanged by an 'out-of-band' controlled process, > would signature verification be necessary? Depends on the definition of "control" and on your needs. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]