Per-Entity Metadata Working Group

[Tom Scavo <>]

On Thu, Jul 28, 2016 at 1:06 PM, Tom Mitchell 
<>
 wrote:
>
>> If the goal is to get our arms around the larger group of clients
>> (Shibboleth, SSP, AD FS, Ping), then we also need to reconsider our
>> overall security model. TLS on the MDQ server can not be avoided if we
>> truly want to be all-encompassing.
>
> I’d like to play devil’s advocate here. I believe the documents being 
> passed around are public and carry their own security so shouldn’t require 
> TLS protections. Clients really shouldn’t care from where they’re getting 
> the documents, they should only care that the signature within the document 
> is valid.

I don't disagree with that. The metadata server at md.incommon.org
does not provide TLS protection. Ops made a one-sided decision not to
deploy TLS despite contrary recommendations from TAC.

But you need to understand the consequences of your position. AD FS
*requires* TLS. It will not consume SAML metadata at an endpoint
location that begins with http:// so we have to choose path and suffer
the consequences.

Tom