Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Re: MDQ status?

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Re: MDQ status?


Chronological Thread 
  • From: Tom Poage <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] Re: MDQ status?
  • Date: Fri, 20 Jul 2018 19:13:55 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:Gv4x8BfNuzv9uDr9zejO8fg8lGMj4u6mDksu8pMizoh2WeGdxcW/ZR7h7PlgxGXEQZ/co6odzbaO7ea4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYL5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyuqR1/zJLbb4yOLvVyYqbdcMkGSWdbXMtcUTFKDIOmb4sICuoMJfhWr474p1ATtxW+AhOjBOzxxTRVgXL2waM60/wmEQ7c0wwvAckDsGnIo9roLqgST+G1zLLSwTrdcvxWxC7w5Y7VeR4iufGBRa98fdbexEU1GA7IjE+cpIP4Mz+P1OkBrnCX4/RhWO6zl2Iqrhx9rzqzysswj4TGnYIYx17Y+Sh83Yo5O9m1RFJ+bNOgDJRfqSCXOo54Qsw+TGxnoyM3xaMYtZKleCUHzZcqyhzEZPCffYiH/BHuWPqULDp9inJpZLKyiAq3/ES+xeDxUse53VNXoidHjtXDqnUA2wLP5cebVPRw+Fqq1yyV2ADJ8O5EJFg5larFJJ4lxb49joIdvFjEECPqlkj6laGYeEIq9+Sx7OToeavpqoWbN49plgHxKaMumtG5AeslKAQOR3Kb+eOg1LL94UL5XLRKjvowkqXDt5DaONgbpqq+Aw9S0YYv8QqwDzCj0NgAnHkHKkxKeA6fgoT0J13DL+r0APi9jli2nzpn2urKM7/8DpnVK3jMirbhfbJz605GzwozyMhS545aCrEZJ/L8QEDxu8LDAx8kLwO73vzoCMt81oMFQ26AHLKWML7KvV+S+u0vO/WMZJMSuDvlKvgl4eLhjXg8mV8Yeqmp24EbaHeiHvRpOkmZZGTjgssbHmgXpAU+UPblhESZUT5Of3ayR6U85isnCI+9CYfDR5utgKCa3CulBJFWZ2ZGCkySHnfycYWLResMZDyILsB/jzMESOvpd4h0nxSjqAb2wqZua/HJ4jUfr47L1d5+4OjWkhd08iZ7RYzJ1myRRm19gmpNXCIuxKdlvWR8zFyE1K1/hbpfD9MFtN1TVQJvCZnZh9R9At//ElbdcM+OQVmrasitDTgvT8l3ztMTNRUuU+6+hwzOinL5S4QekKaGUcRuqPDVwmTxKsBhyn3PyKgmiRw8T9BSMXG92PQt7BDdUojOlUjR172nc6gRxmbszC+C1iLP2SMQSwtsSePAVHEbaFHRqIHl6FvFRrCjIaksPgJfyNXEJ6dXOZXk
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Any update on the production MDQ service? I'm starting to run across vendor implementations that want a URL to fetch metadata and, in many cases, can't/won't support the size of aggregates. Of course, offering these vendors our IdP metadata endpoint is the last solution on the list to be offered.

 

Speaking of vendors, it's difficult to know for sure if they've validated the signature on downloaded metadata (even when asked). Odd thought, what if instead of (or in addition to) metadata signature, metadata is encrypted by e.g. the MDQ private key? Then vendors etc. would be forced to successfully decrypt what they download to make it useful (a form of validation). No, it doesn't give the truly lazy an out, like now, but seems a significant step toward ensuring that downstream consumers have gone through some kind of check on what they've fetched.

 

Thanks.

Tom.

 

From: <> on behalf of Nick Roy <>
Reply-To: "" <>
Date: Thursday, March 8, 2018 at 11:13 AM
To: "" <>
Subject: [Metadata-Support] Re: MDQ status?

 

Hi Tom,

 

We are working on productionalizing the MDQ service. Because of the need for high availability, combined with the need to handle signing keys in a very secure way, it is taking some time to do the planning.

 

Best,

 

Nick

 

Nick Roy

Director of Technology and Strategy, InCommon / Internet2 Trust and Identity Services

From: <> on behalf of Tom Poage <>
Sent: Thursday, March 8, 2018 11:26:58 AM
To:
Subject: [Metadata-Support] MDQ status?

 

I have some SP operators noticing/complaining about the ever increasing amount of time to start the SP. I think they're using all the usual tricks of e.g. using the IdP-only aggregate, increasing timeouts and the like.

What's the status of the MDQ service? I haven't looked in detail, but do see some comments on productionalization from c. September.

Thanks!
Tom.


Archive powered by MHonArc 2.6.19.

Top of Page