[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] comments re draft-sstc-metadata-iop-03
Tom Scavo wrote on 2009-02-15: > That's probably more than you wanted to hear, and maybe most of it is > off-topic, but hopefully it satisfies your curiosity about the use of > SAML metadata within an X.509-based PKI. Yes, it does. But it doesn't show that you *couldn't* embed the certificates of the allowed "X.509 issuers" (I think that's the term you used) into the metadata. That doesn't mean you should or that I would, but it works functionally, as it must by definition because you can't break the security model by collapsing a layer of indirection. You might lose something useful, but that's not the same thing. Your other note mentioned moving away from long-term certificates, but while that argues further against embedding the keys (assuming you also meant the keys would be churning), it doesn't preclude it. It means that the exchange of metadata would have to be more dynamic to work. Again, I wouldn't do this. But as a disproof of the universality of the profile, I don't see it. It does however suggest some properties to discuss in explaining the contexts in which the profile will be useful. We covered the notion of having an existing runtime PKI earlier. This adds the point that using shorter-term credentials is also probably a factor. I do intend to produce another draft with some more text when I have time. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]