Subject: Metadata IOP & the front-channel bindings
Section 2.2 of Metadata Interoperability Profile reads: "This profile [...] requires that metadata be usable as a self- contained vehicle for communicating trust such that a user of a conforming implementation can be guaranteed that any and all rules for processing digital signatures, encrypted XML, and transport layer cryptography (e.g. TLS/SSL [RFC4346]) can be derived from the metadata alone, with no additional trust requirements imposed." I'm curious how the IOP addresses the confidentiality and integrity requirement of the front-channel bindings (c.f. "Security and Privacy Considerations") from the 'metadata alone'. It seems to me that the credentials bound to end-point such as the ACS (and trust anchors stored in the user's browser) are "additional trust requirement[s]"? I suspect that I'm interpreting the quoted extract too broadly (ie. this spec is scoped to metadata consumers/publishers, and trust interactions between other actors are out-of-scope), but a clarification would be very welcome! best regards, josh.