Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] Question on updating metadata with new certificates

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] Question on updating metadata with new certificates


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] Question on updating metadata with new certificates
  • Date: Thu, 26 May 2016 16:36:20 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.216) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=osu.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23
> I'm afraid that's the answer to your original question. If your
> software does not support multiple decryption keys, it's not possible
> to migrate an encryption certificate in metadata without loss of
> service.

Modulo the obvious:

- flag days
- forcing all IdPs to disable encryption ahead of time

If your software is like this, I would advise you not support encryption
because, well, you really don't. Supporting things like encryption badly are
generally worse for the IdP than not supporting them, since they just end up
creating problems later.

I tend to ask about this when I'm dealing with vendors and this is one of my
red flags for asking if I can turn off encryption for their service.

-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page