Refeds


Subject Re: Self Signed Certs
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Tue, 4 Aug 2009 17:07:24 +0200

Salut Olivier et al.,

* Olivier Salaün <olivier.salaun@xxxxxx> [2009-08-04 11:14]:
>     * IdPs now use the default Shibboleth configuration with the
>       generated certificate. This certificate has a longer validity
>       period, thus providing less work for IdP administrators ;

Actually the software should not care about certificate expiration at
all, since this will be handled via (signed) SAML2 metadata.
  While you might want to set an expiration date on your PGP key (just
in case you'll ever lose its recovation certificate), with public keys
embedded in managed metadata this is not an issue.

>     * No more issues with mod_ssl configuration on the SPs side,
>       because IdPs push attributes through the web browser ;

I guess you meant "on the IdPs side" above?
  Note that with back channel SLO you still might want client cert
auth to work for SOAP requests to the IdP. So we're probably not
getting rid of that in the long term. We're just getting rid of
attribute queries in most cases.

>     * The attribute push also makes the federated architecture much
>       simpler and therefore eaiser to explain and to debug.

You could have done that before with both SAML1 and SAML2, and with
both certificates issued by a CA as well as self-signed certs. 
  Of course those deployments which mandated the use of certificates
from a (list of) specific CA(s) probably won't have their entities'
public keys embedded in the metadata, but this only prevents
assertions from being encrypted to the relying party, you could always
push (just) signed assertions.
-peter