InCommon metadata support

[Brad MacDonald <>]

Thanks Scott and Tom for your responses on this.  Luckily we only have 6 
IdP's that are in this configuration so maybe we will be able to coordinate 
the effort with the least amount of downtime. 

Brad MacDonald
Skillsoft | phone: 613.963.0332 | mobile: 613.858.7414
Senior Platform Engineer, Hosting

 | www.skillsoft.com

      

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Thursday, May 26, 2016 12:36 PM
To: 

Subject: RE: [Metadata-Support] Question on updating metadata with new 
certificates

> I'm afraid that's the answer to your original question. If your 
> software does not support multiple decryption keys, it's not possible 
> to migrate an encryption certificate in metadata without loss of 
> service.

Modulo the obvious:

- flag days
- forcing all IdPs to disable encryption ahead of time

If your software is like this, I would advise you not support encryption 
because, well, you really don't. Supporting things like encryption badly are 
generally worse for the IdP than not supporting them, since they just end up 
creating problems later.

I tend to ask about this when I'm dealing with vendors and this is one of my 
red flags for asking if I can turn off encryption for their service.

-- Scott