Per-Entity Metadata Working Group

["Cantor, Scott" <>]

On 9/7/16, 12:30 PM, 
"
 on behalf of Paul Caskey" 
<
 on behalf of 
>
 wrote:

>    The way I heard our discussion earlier was that http would be the 
> primary (and
> documented) path, same as always.

I don't have a strong feeling about what gets documented, but I personally 
would use https and that might cause problems if I'm public with that 
preference.

I understand the concern with confusion, but I also think we are worried 
about the people who shouldn't be running IdPs at the expense of the people 
who can. Using TLS with *some* legitimate trust anchor is better for 
security, pretty much a priori, so we'd be deliberately weakening things for 
everybody else. That's before considering that this is simply necessary to 
make ADFS a participant in this mix.

    > It’s ironic that the introduction of TLS might actually degrade the 
overall trust
    > fabric of the federation, but that is my fear.

I think the fear is already reflected by current practice. We get enough 
questions and posted configurations to my list to tell me that plenty of 
people are blindly pulling metadata over http now without verifying it. I 
really don't think you can make people behave any worse than they do now.

But I think most people cut and paste. I don't think they're going to go out 
of their way to do something that doesn't match an explicit example.

-- Scott