Assurance

["Cantor, Scott" <>]

On 7/20/12 4:11 PM, "Tom Scavo" 
<>
 wrote:
>
>To avoid having to modify the IAP yet again, what if we incorporated this
>directly into the boarding process for all certified IdPs? We might, for
>example, ask a to-be-certified IdP to generate a new private signing key
>and migrate the corresponding public key certificate into metadata. Does
>that seem reasonable?

It's not unreasonable on its face, but it is a giant pain. Every
non-Shibboleth/SSP SP out there is going to break, requiring a large
effort and usually a flag day. There's no rollover possible with most
commercial or one-off SPs. Many don't support multiple acceptable keys.

>We already have a policy that states IdPs "SHOULD generate a new private
>key and submit a certificate with a new public key every 3 years."
>(https://spaces.internet2.edu/x/boY0). Enforcing this policy at the time
>of certification doesn't seem too unreasonable. What do others think?

I think one of the reasons we haven't even tried to revisit that SHOULD is
that we don't know what the real need is, and it's a complete nightmare to
do it.

Sadly, "agile trust" means "don't (strongly) authenticate".

-- Scott