Per-Entity Metadata Working Group

[Nick Roy <>]

> On Aug 11, 2016, at 12:03 PM, Cantor, Scott 
> <>
>  wrote:
> 
>> Endpoint-hosted metadata that is signed by a federation operator starts to
>> look a lot like a SAML version of what Roland’s proposing with OpenID
>> Connect.
> 
> Except that it was SAML's/Liberty's idea to start with, but yes.
> 
> The move to batches was a combination of being easier to implement, easier 
> for deployers, and because it was easier to understand the security 
> properties.
> 
> There was a little bit of "Scott gets hives from mixing locations and 
> names" mixed in, and you have to work a bit to get back that layer of 
> indirection in ways that SAML didn't explore because it just went in the 
> other direction.
> 
> In practice, nothing does make that distinction, so now your policies about 
> services have to change when their locations do. Try making attribute 
> release work in that world. Again, when there are 10 IdPs and they all 
> release everything to everyone, subject to consent, you sidestep that 
> problem.
> 
> We also have the URN problem. Scott doesn't relish changing his IdP's name.
> 
> But I digress...
> 
> I don't think I would be that concerned about basic CDN reliability in 
> practice, *if* we're caching on disk. Which we're not at present. So that's 
> really my take-away, that nobody by and large really believes networks and 
> CDNs can meet anything above 3-4 9s. and semi-regular but unpredictable 
> outages are inevitable.

Thanks - that helps.  So sounds like maybe we need to plan for caching on 
disk on the clients, and make that work with three nines of uptime.  Is that 
something we can agree on?

Nick

> 
> -- Scott
>