Metadata Distribution Subcommittee of TAC

[Tom Scavo <>]

On Fri, Sep 6, 2013 at 6:21 PM, Mark K. Miller 
<>
 wrote:
>
> On Fri, 6 Sep 2013, Tom Scavo wrote:
>
>> If that's true, then it seems the immediate goal would be to provide
>> signed per-IdP metadata via md-query. That's good because 1) there are
>> *many* SPs in InCommon metadata, and 2) only a small percentage of
>> them need to be individually signed and packaged. For example, most of
>> the 272 CMU SPs do not need to be exposed as signed, per-SP metadata.
>> I suspect there are many such SPs in metadata. Maybe *most* of them.
>
> Sure, *most* of them.  Then, suddenly, that one faculty member across campus
> here needs to collaborate with that one thing at CMU, and I hope I don't
> need special permission from Gettes!

Well, that's because you know he'll ignore you when you ask ;-)

>> We probably want to use entity attributes to denote the set of SP
>> entity descriptors that do (or do not) need to be signed and exposed
>> via md-query, but I'm not even sure where to begin...
>
> Only the SP operators know where to begin.

I think that's right, which probably means SP operators need to be in
complete control of that entity attribute.

> So, clearly Gettes would provide
> some pretty reasonable guidance for the 272 CMU SPs to get this setup
> correctly.  However, other than that, I fully expect most of the other SPs
> to want to be signed and exposed.

Hmm, I'm guessing just the opposite is true...but who knows!

>> Finally, I have no idea what discovery looks like in a world of
>> per-entity metadata. Anybody care to speculate about that?
>
> Sure, I will!  It'll be a bigger mess than SP operators and IdP operators
> needing to directly agreeing on attributre release.

Certainly those are the two most "interesting" problems in federated
identity today.

Thanks,

Tom