Interfederation

[Ian Young <>]

On 16 Apr 2013, at 22:19, Tom Scavo 
<>
 wrote:

> On Tue, Apr 16, 2013 at 3:03 PM, Jim Basney 
> <>
>  wrote:
>> 
>> The validUntil in metadata is hop-by-hop. Want eduGAIN to validate
>> validUntil that it pulls, then include validUntil in eduGAIN published
>> metadata aggregate.
> 
> Wouldn't it be better for the aggregator (eduGAIN in this case) to tag
> the aggregate with a validUntil date that is the MINIMUM of all the
> individual validUntil dates?

No.  The function of validUntil is to protect against replay attacks in which 
a once valid aggregate is presented to the same consumer in order to bring 
compromised entity credentials back into use.  It's applied independently at 
each producer and verified by the corresponding consumer.  There is no need 
for any pass-through behaviour to implement this protection.

Doing arithmetic on validUntil does not improve the hop-by-hop protection, 
and puts you in a position where any of the upstream aggregates can control 
the validity interval for the entire downstream aggregate, whether 
deliberately, accidentally or by going offline for a long period.  This is 
clearly undesirable, and aggregators should simply not overthink this.

InCommon operates as an aggregator when it generates its production aggregate 
from individual entity descriptors.  I don't think you'd want to allow a 
global property of the aggregate (such as validUntil, but this applies 
generally) to be influenced by those individual contributions.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature