Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] MDQ format options?

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] MDQ format options?

Chronological Thread 
  • From: David Langenberg <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] MDQ format options?
  • Date: Tue, 6 Dec 2016 22:36:17 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:sGcYLBxWufpid7vXCy+O+j09IxM/srCxBDY+r6Qd1OMVIJqq85mqBkHD//Il1AaPBtSAra8dw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pndbglShDexfK55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMx+jq1UvB2uqgdww4LIZYGYLuZycr/fcN4cWGFPXtxRVytEAo6kYYUAFfQBPedFoILgoVUBtx2+BQayC+Pp0TBHmGX23aIn2OkmDA7JxhIgEMwKsHnPsdX6KKcSUeGpw6bSwjXDaOla1ing54jVax0sp+yHU7FoccfJ1EUjCQDIgk+NpYHrPz6ZzPkBvmmb4uZ6V++iiWgqoBxrrDe13McjkIzJi5oVyl/a8SV5x544Jca9SE5ned6oDJtduzuHN4RqQsMiQn1ntzw1yr0Bo5K0YjUFyIk/yx7ebfyIbZSI7wr+WOqPIjp0nm9pdby/ihqo7ESty+3xWtO23VtItiZFl8PDtnEJ1xzd8MiHTf5981+81jmVyQDc9OVELFsplaXHK54hw6I/mYAcsUTEBCP5hlj5jLKOekU+5ueo8/jnYqnhppKENo90jB3xMqMrmsy6BuQ4NBICX2+B+eSzzbHj+FP2QKlQgfIriKbZrIrVKd0Apq6kGw9VyoEj6wyjDzq91NQYnGIHLE5eeB6ZlYTpOlfOIOzmAvelhVSjjitry+7cMrL/H5rNMyuLrLC0N7Nw90dQwRY6iMtC/4pTEK0pIfT4XUr0s9qeCQU2eUTgxuv7Adl0yopbQn+XGqiDLIvTt1SP4+coJa+LfoBD6xjnLP1wy/fwjHNxvVYbcqSv15YNZzjsEv14LkGxfHHsg9wIHmBMswYjGr+5wGaeWCJeMi7hF5k34Ss2Xdqr

> On Dec 6, 2016, at 3:44 PM, Tom Scavo
> <>
> wrote:
>> On Tue, Dec 6, 2016 at 4:26 PM, Tom Poage
>> <>
>> wrote:
>> I’ve been trying to find ways to get unknowledgeable (and
>> non-participating) vendors to obtain a trusted/verifiable copy of our IdP
>> metadata.
> That would be a wonderful Xmas present ;-)
>> Many vendors, albeit understandably, refuse to download the InCommon
>> aggregate. Even if they do, understanding the content and parsing out our
>> IdP metadata, often by hand (ugh), and without even broaching the extra
>> consideration of signature verification, seems an insurmountable task for
>> the typical kind of support person on that end assigned to the task.
> Yes, you've hit the nail right on the head, Tom. This is why IdP
> deployers will immediately gain benefit from an MDQ server even if
> they don't reconfigure their IdPs. As you've noted, there's great
> value in having a permanently addressable URI for a single IdP entity
> descriptor.
>> I’ve resisted self-publishing our IdP metadata (with or without local
>> signature, to varying degrees of success), so the MDQ server seemed a good
>> bet. Now to get them to take that small but oh so important step of
>> verifying what they download!
> The consultation of the Final Report from the Per-Entity Metadata WG
> [1] ended yesterday, otherwise I'd ask you to weigh in on the
> following issue:
> Should the MDQ server serve entities over TLS? Most people say yes but
> then that raises a more interesting question: Should the TLS
> certificate be self-signed OR signed by a commercial CA OR signed by
> an internal CA created specifically for that purpose?
> Thoughts?

My vote would be commercial CA signed. Then provide instructions / support
for how people can configure their software to pin the chain appropriately if
they want to avoid the concerns of trusting a commercial CA.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Archive powered by MHonArc 2.6.19.

Top of Page