per-entity - RE: [Per-Entity] supporting metadata distribution via HTTPS
Subject: Per-Entity Metadata Working Group
List archive
- From: Paul Caskey <>
- To: Thomas Scavo <>, Per-Entity Metadata Working Group <>
- Subject: RE: [Per-Entity] supporting metadata distribution via HTTPS
- Date: Wed, 7 Sep 2016 16:30:09 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:NxMI+BczGXodiM+TsAO7Qz+alGMj4u6mDksu8pMizoh2WeGdxc68ZR7h7PlgxGXEQZ/co6odzbGJ4+a9AidZvN6oizMrTt9lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUj22Dwd+J/z0F4jOlIz3krnqo9yAKzlP0Qa9ZrZ7N12NpgzPsYFCnZF5Ia8vzTPIpGdFYeJb2TkuKF6OyVK03sqqubNl7yVMqroE+tJJXazmduwHSqZbDTIpe08v49Dz/U3bQBHK630AU3kHuhtOCA/A6Rb8GJDrvX2pmPB63XyiNNDyBZs9Qjev/u8/UBThkyQKJhY49n3akMp9kPgdrR688U8si7XIaZ2YYaItNpjWeskXEC8YBp5c
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
The way I heard our discussion earlier was that http would be the primary
(and documented) path, same as always.
But, we can also support https for those that need it.
Regardless, http is the preferred path for most deployments.
I think we can make this clear with correct verbiage, though I do agree with
your disappointments (in fact, you were generous, I would say 3 or 4 out of 5
don't understand it enough to run securely).
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom
> Scavo
> Sent: Wednesday, September 07, 2016 11:23 AM
> To: Per-Entity Metadata Working Group
> <>
> Subject: [Per-Entity] supporting metadata distribution via HTTPS
>
> The following is not an Ops perspective (that’s a completely different
> conversation :) I’m speaking now as a technical support person, one who
> interacts with deployers every day. My overall experience is best described
> as disappointing. I estimate that 2 in 5 deployers lack the knowledge and/or
> experience to safely administer a SAML deployment.
> Good documentation helps but not as much as you might think.
>
> Here’s a case in point: front-channel vs. back-channel protocols. Most
> deployers do not understand why there are two use=”signing”
> certificates in Shibboleth IdP V3 metadata. I tell them the front and back
> channels have completely different security models and therefore best
> practice dictates that each of the two channels rely on distinct key pairs.
> At
> that point, most eyes gloss over.
>
> Recently, I’ve started to take a completely different approach when
> consulting with deployers. All new IdP deployments are pushed firmly
> towards front-channel bindings only. That sidesteps the difficult front-
> channel vs back-channel security issue entirely. Out of sight, out of mind!
>
> We will have exactly the same problem if and when we start serving
> metadata over HTTPS. The documentation that we have [1] will become
> more complex. Deployers will see the little “s” in the metadata location and
> blithely think all is well. Most will ignore the rest of the documentation.
>
> It’s ironic that the introduction of TLS might actually degrade the overall
> trust
> fabric of the federation, but that is my fear.
> Experience tells me that is a very real possibility.
>
> Tom
>
> [1] Metadata Client Software https://spaces.internet2.edu/x/QYG8Ag
- [Per-Entity] supporting metadata distribution via HTTPS, Tom Scavo, 09/07/2016
- RE: [Per-Entity] supporting metadata distribution via HTTPS, Paul Caskey, 09/07/2016
- Re: [Per-Entity] supporting metadata distribution via HTTPS, Tom Scavo, 09/07/2016
- Re: [Per-Entity] supporting metadata distribution via HTTPS, Cantor, Scott, 09/07/2016
- Re: [Per-Entity] supporting metadata distribution via HTTPS, Cantor, Scott, 09/07/2016
- Re: [Per-Entity] supporting metadata distribution via HTTPS, Tom Scavo, 09/07/2016
- RE: [Per-Entity] supporting metadata distribution via HTTPS, Paul Caskey, 09/07/2016
Archive powered by MHonArc 2.6.19.