per-entity - RE: [Per-Entity] HTTPS transport and TLS trust
Subject: Per-Entity Metadata Working Group
List archive
- From: "Cantor, Scott" <>
- To: Scott Koranda <>
- Cc: "" <>
- Subject: RE: [Per-Entity] HTTPS transport and TLS trust
- Date: Tue, 6 Sep 2016 15:54:41 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=osu.edu;
- Ironport-phdr: 9a23:QoCOER8hkrqBZv9uRHKM819IXTAuvvDOBiVQ1KB+2u0cTK2v8tzYMVDF4r011RmSAtWdtqkP0reempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBX660e/5j8KGxj5KRE9ZqGsQtaT3IyL0LWJ8JrPf01rgyC0Z797ZEGtrgLLv88aiKNtL68wzl3CpX4eKMpMwmY9b3mamQr7/IP4x5Vk7zga86Yq/shcVr+8JYw/VqEeATg7ZTNmrPb3vAXOGFPcrkAXVX8bx18RW1DI
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
> So as a contrast, the Shibboleth IdP allows me to effectively
> say "for metadata downloaded from this URL use this X.509 CA
> trust chain to validate the TLS trust, but for metadata
> downloaded from this other URL use this other X.509 CA trust
> chain".
IIRC the SP goes even farther with this and can impose naming constraints on
which entities you can get metadata for from a particular source (and both
IdP and SP certainly can impose them at the layer of a metadata filter).
> You are arguing that ADFS does not (to the best of our
> knowledge so far) allow a deployer to do that and will simply
> search any and all of its trust anchors for a way to validate
> the server X.509 being used for TLS trust, correct?
I would be very surprised to learn otherwise. I would in fact be surprised to
learn that it can rely on a trust store that doesn't just apply globally to
every other use of TLS on the system.
-- Scott
- [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Tom Scavo, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, IJ Kim, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, , 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, IJ Kim, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
Archive powered by MHonArc 2.6.19.