OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Best practice for utilising signed metadata


There are not really what I would call best practices in this area, but some
deployments are more experienced than others. Shibboleth has been using
batches of metadata signed by a third party since the use of SAML 1.1 in its
original releases, and has experimented with both direct exchange of keys
and PKIX extensions to handle authentication of the federation members, all
metadata-driven.

> 	What benefits are gained by exchanging signed metadata.  Is the main
> purpose of signed metadata for publication by a uncontrolled mechanism
i.e.
> published on the internet

Not in my opinion. A major benefit is to offload vetting and key exchange to
a third party and replace the old notion of a CA with the more flexible
notion of a federation signing authority.

> 	What level of support is available from SAML implementations for
> signed metadata.?

I can only speak for my own. It's entirely driven by metadata and signing
it's the entire basis for the security of the implementation.

To the extent that any legal signed metadata instance is rejected by any
implementation that claims to support metadata, it's a bug in any case.

But whether other implementations support any specific models for use of
signed metadata to provision trust is a matter for, I would say, developing
profiles to facilitate useful compliance.

> 	Is the manual correction of metadata after generation an acceptable
> practice?

Sure, but not if you expect the original signature to hold. I think you're
asking whether a particular product would accept it. That's impossible to
say. It would depend on the product, the mode of operation, and what you
were intending the metadata to accomplish.
 
> 	If metadata is exchanged by an 'out-of-band' controlled process,
> would signature verification be necessary?

Depends on the definition of "control" and on your needs.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]