RE: [security-services] comments re draft-sstc-metadata-iop-03

["Scott Cantor" <cantor.2@osu.edu>]

Tom Scavo wrote on 2009-02-15:
> That's probably more than you wanted to hear, and maybe most of it is
> off-topic, but hopefully it satisfies your curiosity about the use of
> SAML metadata within an X.509-based PKI.

Yes, it does. But it doesn't show that you *couldn't* embed the certificates
of the allowed "X.509 issuers" (I think that's the term you used) into the
metadata. That doesn't mean you should or that I would, but it works
functionally, as it must by definition because you can't break the security
model by collapsing a layer of indirection. You might lose something useful,
but that's not the same thing.

Your other note mentioned moving away from long-term certificates, but while
that argues further against embedding the keys (assuming you also meant the
keys would be churning), it doesn't preclude it. It means that the exchange
of metadata would have to be more dynamic to work.

Again, I wouldn't do this. But as a disproof of the universality of the
profile, I don't see it.
 
It does however suggest some properties to discuss in explaining the
contexts in which the profile will be useful. We covered the notion of
having an existing runtime PKI earlier. This adds the point that using
shorter-term credentials is also probably a factor.

I do intend to produce another draft with some more text when I have time.

-- Scott