per-entity - Re: [Per-Entity] HTTPS transport and TLS trust
Subject: Per-Entity Metadata Working Group
List archive
- From: Nicholas Roy <>
- To: <>
- Subject: Re: [Per-Entity] HTTPS transport and TLS trust
- Date: Fri, 23 Sep 2016 10:00:44 -0600
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:Ed9q6BUeVAtuX+JeO5mwgp7XTmvV8LGtZVwlr6E/grcLSJyIuqrYZRKCt8tkgFKBZ4jH8fUM07OQ6P+wHzFbqs/c+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3ZkJJIbGhAoPIysmxy+Gu6rXSZQ5PgT+6Z/V1Nhrg/ivLscxDp4ppKqE1wwCBmHxZM7BQ32R5DVOVgxvm4Mqspthu/zkG6KFpzNJJTaivJ/dwdrdfFjlza20=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On 9/6/16 12:31 PM, Tom Scavo wrote:
On Tue, Sep 6, 2016 at 9:40 AM, Scott KorandaJust getting to this thread after coming back from vacation a couple weeks ago.
<>
wrote:
My understanding is that the InCommon TAC in particular hasThat statement has some truth in it but that is not the whole story.
had objections in the past to serving any InCommon metadata
that *relies* on the TLS trust model.
All you have to do is raise this topic on the REFEDS list to start a
religious war :-)
Can someone familiar with that objection (Scott C or Tom S orI can give a historical perspective. AFAIK, InCommon has always
Nick R or ?) provide more details, or correct my understanding
if I am wrong?
published a metadata location that begins with "http://";. Originally,
that location was:
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
Now it is:
http://md.incommon.org/InCommon/InCommon-metadata.xml
Server md.incommon.org does not support TLS, which is intentional. A
surprising fact is that TAC recommended that md.incommon.org should
support TLS. Ops disagreed with TAC (which is rare, and perhaps
unprecedented) so md.incommon.org does not support TLS.
FYI, last year TAC recommended that Ops deploy an EV cert on the ops.incommon.org site where we distribute the information to allow bootstrapping trust in the signing key (details at: https://spaces.internet2.edu/display/InCFederation/Metadata+Signing+Certificate)
We deployed an EV cert on that site, and obtaining that cert was an arduous, multi-month process. I have to renew it after TechEx, not looking forward to that...
Nick
What other objections are there to serving InCommon metadataI'll sidestep that question (ScottC gave an answer) and suggest a
using the TLS trust model?
thought experiment. Suppose md.incommon.org supported TLS. What
metadata location would we publish and document? The only answer that
makes sense (to me) is that we would publish a metadata location that
begins with "https://";. But what about the documentation? Honestly, I
wouldn't be able to write documentation that makes sense (to the
average deployer). That little "s" in the URL really complicates the
message, so in the end we decided not to support TLS on
md.incommon.org.
An MDQ server gives us an opportunity to revisit this issue. I'll stop there
:-)
Tom
- Re: [Per-Entity] HTTPS transport and TLS trust, (continued)
- Re: [Per-Entity] HTTPS transport and TLS trust, Tom Scavo, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Patrick Radtke, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/07/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Nicholas Roy, 09/23/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/07/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/23/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Nicholas Roy, 09/23/2016
Archive powered by MHonArc 2.6.19.