Per-Entity Metadata Working Group

[Scott Koranda <>]

> > What other objections are there to serving InCommon
> > metadata using the TLS trust model?
> 
> Mainly the lack of trust constraints. If we assume that ADFS
> is validating the certificate correctly and performing
> revocation checking, it still validates any certificate it
> gets against any valid trust root, which means there's no
> control over which trust anchor is trusted for specific
> sources of metadata.

I see.

So as a contrast, the Shibboleth IdP allows me to effectively
say "for metadata downloaded from this URL use this X.509 CA
trust chain to validate the TLS trust, but for metadata
downloaded from this other URL use this other X.509 CA trust
chain".

You are arguing that ADFS does not (to the best of our
knowledge so far) allow a deployer to do that and will simply
search any and all of its trust anchors for a way to validate
the server X.509 being used for TLS trust, correct?
 
> Even if you do the self-signed thing, you still have to
> trust that self-signed cert for basically anything in order
> to trust it for that specific case.

In other words, a ADFS operator has to pull that self-signed
cert into one of its trust stores and there is no way to
specifically "bind" it to the operation of trusting SAML
metadata from one particular URL.

Correct?
 
> The basic objection is over whether people would leverage
> the TLS layer correctly or effectively and whether that's a
> thing to even encourage given the complexity of getting it
> right.

Thanks,

Scott K