Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] MDQ format options?

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] MDQ format options?


Chronological Thread 
  • From: Nick Roy <>
  • To: <>
  • Subject: Re: [Metadata-Support] MDQ format options?
  • Date: Thu, 8 Dec 2016 15:39:02 -0700
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:M4lusRymGNrg/WXXCy+O+j09IxM/srCxBDY+r6Qd2+0UIJqq85mqBkHD//Il1AaPBtSAra8ZwLKP+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFGiTanYb5/LBq6oRnMusILnYZsN6E9xwfTrHBVYepW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbfVwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qFmQwLqhigaLT406HzZhNJ+jKxboxyvqRJwzIHWb46JO/R+f7jQfc8ZSGdbQspdSyJMD4G6YoASD+QBJ+FYr4zlqlUWrBuxGQqsD/7zxD9Phn79wKo30+I7EQHB3A0tBNMOsHLIrNrrLqcSV/66zLXWwTnZcfxZxCr95ZHOfxs8ov+MRap9fdfNxUQgDQ/IgVedpZbrMj6XzOgBrnSX4uh4We6ximMrtxx9rz2xysovhITEg40Yxk7Y+SlnxYs6ON21RFJ+bNG5DZRcqT2WOo5sTc4tXW1kpSM3x78YtZO/eSUF05oqyhHBZPGBboOG+AjsVPyLLjd9nH9leKywhxK18UW40uPxSs663EpUoiZcjNTDtG0B2wXU6secVPRx5ECh2SuT1w/I7eFEPEY0mrfBJ5452L4wkYYTvlrfES/qmUX2i6mWel8j+ui19+TnZrLmppifN4Nulg7+NaEultS+AeQ+LAcOQ3CW9fmg2LDs50H0T7dHguc4n6TbqpzWONgXq6yhDw9QyIkj6hK/Dzm80NQfmHkKNFRFeAiAj4npIFzOIfb4DeuhjFS2ljdk2ezGMqP7DprTM3fDja/tfaxh5E5E1Aoz0ddf6opVCrEHPP3zXUrxtNnfDh8/KQC0xPznCNpk2oMbR22PHrWWP77Ivl+U/O0jOvKMZJINuDblLPgl/eLugGQ9mV8cZqmpwYAXZG6iEvRnJUWZfWTjgs0HEWgUogoyUvbmh0OfXj5OND6OWPdo4zwnAY6vEY6GXZ21mLubwA+6GJZRY2VBDBaLC3i+JKueXPJZTiOZIYdblS1MAb67TJ4J1BeyuRX8xqY9aOfY53tL5trYyNFp6riLxlkJ/jtuApHF3g==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99



On 12/7/16 4:56 PM, Cantor, Scott wrote:
> On 12/7/16, 6:47 PM,
> "
> on behalf of Tom Poage"
> <
> on behalf of
> >
> wrote:
>
>> I sense there’s also not much middle ground (vs. dichotomy) to make it
>> relatively easy for Right Thing deployers to do just
>> that, and to present a semi-surmountable obstacle to Wrong Thing deployers
>> to do, well, just that.
> I think a non-commercial trust path for the TLS layer does exactly that, as
> best it can be done.
>
> Those verifying signatures can frankly ignore the TLS part if they like and
> they'd still be better off than using http alone. Those not verifying
> signatures either do nothing (which they'll do regardless) or just choose
> to trust the cert, it's not that hard.
>
> I don't think it's a burden to install a CA. On Windows it's a double
> click. If you claim as a vendor that it's against your security policy,
> that's laughable when none of the CAs you already trust have any business
> certifying SAML metadata.

You convinced me. I think this needs to be TLS using a self-signed
cert, and if they can't add an explicit trust to their truststore, "they
are not tall enough to get on the ride"

Nick

>
> -- Scott
>
>




Archive powered by MHonArc 2.6.19.

Top of Page