Metadata Distribution Subcommittee of TAC

["Joe St Sauver" <>]

Tom commented:

#That RFC is obsolete but in any case...

MY RFC foo has been in disarray lately because the RFC server that I 
always used, and which appears at the top of the Google results (at least
in my "search bubble") has been refusing queries lately. Sorry. Assume
"substitute the latest/greatest RFC, if the mentioned one has been 
obsoleted" (I always have this same problem with RFC822, FWIW, too,
even though I KNOW that RFC2822 is what I "meant")

#to this:
#
#"a self-signed X.509v3 certificate containing a public key"

Much better.

#Joe, to understand why your suggestion is actually a step in reverse,
#you have to go back to Phase 1 and recall that we've completely
#eliminated all traces of the legacy X.509 PKI associated with the
#metadata signing key.

Except for the fact that you're actually using a X.509v3 cert. :-)

#>>(btw, if you try to go to https://md.incommon.org/certs/inc-md-cert.pem
#>>you get a cert error, because that host uses a cert that's only valid
#>>for wayf.incommonfederation.org,
#>
#> I don't think the TLS option was on the table, based on the last round of
#> conversation about this on TAC, but I'd have to go back and look.
#
#Right, this is still an open question. IJ and I need to consider our
#options and then I promised TAC I would bring this issue back for
#further discussion and eventual resolution.

Remember, if the IETF httpbis chair gets his way, ALL http will be encrypted. 

:-)

Regards,

Joe