Interfederation

["Cantor, Scott" <>]

On 5/28/13 7:10 PM, "John Krienke" 
<>
 wrote:
>
>I see. MD-IOP is really trying to say something like, "A key in published
>MD is
> 
>always considered valid."

To the consuming software for the purpose of whatever profiles the
metadata applies to, yes. Not valid in any more esoteric sense.

>It seems then, that Relying Parties of IdP or SP metadata still assume
>somewhere 
>that, "a private key associated with a published public key in metadata
>is under the
>exclusive control of the named metadata owner" (where control could be
>defined 
>as including an authorized outsourced subcontractor).

If they care about their metadata, yes, I'm just trying to say that IOP
intentionally isn't trying to talk about that (and if I understood the
phone call, edugain actually isn't either).

> That's a policy assumption though, and it might include a statement
>about compromised keys and the reasonable timing of their removal from
>published MD. That document might be an
>RPS rather than this MD-IOP. Some minimal -- very minimal -- number of
>policy 
>statements like this seem critical to scaling interfederation.

Yes. I'm not saying IOP is a practice statement for metadata, quite the
opposite, it's deliberately not. Something has to address why it's
appropriate to apply IOP to a piece of metadata, just as with any other
approach to defining what would be in metadata.

-- Scott