[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups -sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded
> So you have to get the URL out of band, and then go ask for > the metadata ? It's fairly critical to identify the parties involved in a federation. So they get identifiers. If those identifiers are URLs that point at metadata, you have a well known URL to get metadata. That's OOB in a sense, but it's more about the trust, as you note below. I can dynamically retrieve metadata, but then I have to trust it. > How do you know what metadata will be returned? I don't. If I did, I wouldn't need to ask for it. >How do your trust the metadata, is it signed ? Certainly. Metadata signing is really the new trust root in this kind of world, IMHO. > How do I know how to talk to the metadata URL, that is how do > I know to use HTTP/S, WS-Security or other security protocols > ? How is the boot strap solved ? Familiar with HTTP GET? It's a wonderful thing, catch the fever. If you want to specify other protocols, I guess that's up to you. Personally... > I don't see that this specification solves anything except > saying that you can use a out of band URL Are we talking about the metadata spec or the distribution protocol? The purpose of the protocol is to permit a provider to change their operational details, get their metadata signed OOB, and repost the new version at an understood (but relatively dynamic) location so a consumer can pick up those changes on the fly. If you don't think that's useful, we'll agree to disagree. > This isn't rocket science, or am I missing something? You tell me. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]