RE: [security-services] Groups - sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdfuploaded

[Anthony Nadalin <drsecure@us.ibm.com>]

> How do you know what metadata will be returned? ->I don't. If I did, I
wouldn't need to ask for it.

So how does one parse this, how do I know the schema for the metadata
returned ? How do I get the schemas for the data returned ?

>Familiar with HTTP GET? It's a wonderful thing, catch the fever.

Yes, caught the fever and took an aspirin and its now gone. You seem to be
missing the point, you seem to have to talk to the end point service to get
the metadata but you may not be able to, so there is a boot strap issue.

> Are we talking about the metadata spec or the distribution protocol?

The MetadataDiscoveryProtocol, or more like Metadata URL

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122


|---------+---------------------------->
|         |           Scott Cantor     |
|         |           <cantor.2@osu.edu|
|         |           >                |
|         |                            |
|         |           10/14/2003 11:15 |
|         |           PM               |
|---------+---------------------------->
  >----------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                              |
  |       To:       Anthony Nadalin/Austin/IBM@IBMUS, security-services@lists.oasis-open.org                                                     |
  |       cc:                                                                                                                                    |
  |       Subject:  RE: [security-services] Groups - sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded                              |
  >----------------------------------------------------------------------------------------------------------------------------------------------|




> So you have to get the URL out of band, and then go ask for
> the metadata ?

It's fairly critical to identify the parties involved in a federation. So
they get identifiers. If those identifiers are URLs that point at metadata,
you have a well known URL to get metadata. That's OOB in a sense, but it's
more about the trust, as you note below. I can dynamically retrieve
metadata, but then I have to trust it.

> How do you know what metadata will be returned?

I don't. If I did, I wouldn't need to ask for it.

>How do your trust the metadata, is it signed ?

Certainly. Metadata signing is really the new trust root in this kind of
world, IMHO.

> How do I know how to talk to the metadata URL, that is how do
> I know to use HTTP/S, WS-Security or other security protocols
> ? How is the boot strap solved ?

Familiar with HTTP GET? It's a wonderful thing, catch the fever. If you
want
to specify other protocols, I guess that's up to you. Personally...

> I don't see that this specification solves anything except
> saying that you can use a out of band URL

Are we talking about the metadata spec or the distribution protocol? The
purpose of the protocol is to permit a provider to change their operational
details, get their metadata signed OOB, and repost the new version at an
understood (but relatively dynamic) location so a consumer can pick up
those
changes on the fly.

If you don't think that's useful, we'll agree to disagree.

> This isn't rocket science, or am I missing something?

You tell me.

-- Scott