Per-Entity Metadata Working Group

["Cantor, Scott" <>]

> Endpoint-hosted metadata that is signed by a federation operator starts to
> look a lot like a SAML version of what Roland’s proposing with OpenID
> Connect.

Except that it was SAML's/Liberty's idea to start with, but yes.

The move to batches was a combination of being easier to implement, easier 
for deployers, and because it was easier to understand the security 
properties.

There was a little bit of "Scott gets hives from mixing locations and names" 
mixed in, and you have to work a bit to get back that layer of indirection in 
ways that SAML didn't explore because it just went in the other direction.

In practice, nothing does make that distinction, so now your policies about 
services have to change when their locations do. Try making attribute release 
work in that world. Again, when there are 10 IdPs and they all release 
everything to everyone, subject to consent, you sidestep that problem.

We also have the URN problem. Scott doesn't relish changing his IdP's name.

But I digress...

I don't think I would be that concerned about basic CDN reliability in 
practice, *if* we're caching on disk. Which we're not at present. So that's 
really my take-away, that nobody by and large really believes networks and 
CDNs can meet anything above 3-4 9s. and semi-regular but unpredictable 
outages are inevitable.
 
-- Scott