md-distro - Re: [md-distro] verifying what I heard on this week's call
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: "Mark K. Miller" <>
- To:
- Subject: Re: [md-distro] verifying what I heard on this week's call
- Date: Fri, 6 Sep 2013 18:21:15 -0400 (EDT)
On Fri, 6 Sep 2013, Tom Scavo wrote:
On the call, I thought I heard Scott say that the current Shib SP
supports per-entity metadata whereas the IdP does not. Is that
correct?
Well, as the lowly IdP operator, I remember asking something like 'how do I do any of this neat stuff now?' and Scott said, "you're screwed." An answer I appreciated far more than any beating around the bush! ;-)
So, I don't specifically recall if we were referring to support for per-entity metadata, or metadata query (which seems like it implies supporting per-entity metadata.) But, yeah, not the IdP.
If that's true, then it seems the immediate goal would be to provide
signed per-IdP metadata via md-query. That's good because 1) there are
*many* SPs in InCommon metadata, and 2) only a small percentage of
them need to be individually signed and packaged. For example, most of
the 272 CMU SPs do not need to be exposed as signed, per-SP metadata.
I suspect there are many such SPs in metadata. Maybe *most* of them.
Sure, *most* of them. Then, suddenly, that one faculty member across campus here needs to collaborate with that one thing at CMU, and I hope I don't need special permission from Gettes!
We probably want to use entity attributes to denote the set of SP
entity descriptors that do (or do not) need to be signed and exposed
via md-query, but I'm not even sure where to begin...
Only the SP operators know where to begin. So, clearly Gettes would provide some pretty reasonable guidance for the 272 CMU SPs to get this setup correctly. However, other than that, I fully expect most of the other SPs to want to be signed and exposed.
At this point, I'm still pretty confused about the use of validUntil
and cacheDuration at the per-entity level.
+1
I'm not sure why we would
want to do anything different than we do now (i.e., validUntil only).
Won't HTTP Conditional GET tell the metadata client everything it
needs to know?
There may be an advantage to elevating HTTP Conditional GET to the
SAML layer. Wouldn't the MDRPI creationInstant XML attribute serve
that purpose?
Finally, I have no idea what discovery looks like in a world of
per-entity metadata. Anybody care to speculate about that?
Sure, I will! It'll be a bigger mess than SP operators and IdP operators needing to directly agreeing on attributre release.
Tom
Max
- [md-distro] verifying what I heard on this week's call, Tom Scavo, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Mark K. Miller, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Tom Scavo, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Cantor, Scott, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Tom Scavo, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Cantor, Scott, 09/07/2013
- Re: [md-distro] verifying what I heard on this week's call, Mark K. Miller, 09/09/2013
- Re: [md-distro] verifying what I heard on this week's call, Tom Scavo, 09/06/2013
- Re: [md-distro] verifying what I heard on this week's call, Mark K. Miller, 09/06/2013
Archive powered by MHonArc 2.6.16.