Per-Entity Metadata Working Group

["Cantor, Scott" <>]

> Are there other arguments in favor?

The generic one is just to limit the chance of a stale result being injected 
into the stream. Without real time signing, you don't have much of a 
freshness guarantee, so there are still windows during which stale metadata 
responses could be injected. XML Signature doesn't natively have properties 
related to replay or freshness. Using TLS raises the bar for that attack, but 
less so if we're talking CDNs since that basically eliminates any real hope 
of verifying the TLS certificate at any strength.

> What other objections are there to serving InCommon metadata
> using the TLS trust model?

Mainly the lack of trust constraints. If we assume that ADFS is validating 
the certificate correctly and performing revocation checking, it still 
validates any certificate it gets against any valid trust root, which means 
there's no control over which trust anchor is trusted for specific sources of 
metadata.

Even if you do the self-signed thing, you still have to trust that 
self-signed cert for basically anything in order to trust it for that 
specific case.

The basic objection is over whether people would leverage the TLS layer 
correctly or effectively and whether that's a thing to even encourage given 
the complexity of getting it right.

-- Scott