Metadata Distribution Subcommittee of TAC

[Tom Scavo <>]

On Thu, Jan 16, 2014 at 12:55 PM, Joe St Sauver 
<>
 wrote:
>
> #Joe, to understand why your suggestion is actually a step in reverse,
> #you have to go back to Phase 1 and recall that we've completely
> #eliminated all traces of the legacy X.509 PKI associated with the
> #metadata signing key.
>
> Except for the fact that you're actually using a X.509v3 cert. :-)

The existence of an X.509v3 cert doesn't imply an X.509 PKI. I must be
missing something so let me ask: when I use the phrase "X.509v3 cert",
what thoughts go through your head? Methinks I've unintentionally
tripped a cord.

> #>>(btw, if you try to go to https://md.incommon.org/certs/inc-md-cert.pem
> #>>you get a cert error, because that host uses a cert that's only valid
> #>>for wayf.incommonfederation.org,
> #>
> #> I don't think the TLS option was on the table, based on the last round of
> #> conversation about this on TAC, but I'd have to go back and look.
> #
> #Right, this is still an open question. IJ and I need to consider our
> #options and then I promised TAC I would bring this issue back for
> #further discussion and eventual resolution.
>
> Remember, if the IETF httpbis chair gets his way, ALL http will be 
> encrypted.

This isn't the right place to have this discussion, Joe, but rather we
should wait and discuss this with the entire TAC (as promised). As an
aside, I will note that some federations protect their metadata server
with TLS and some don't:

https://docs.google.com/forms/d/1NBQI_n8XskN1dd33II0gc5PjTQQjw6UzpkwKph6bRfo/viewanalytics

Tom