Subject RE: Self Signed Certs
From "Scott Cantor" <cantor.2@xxxxxxx>
Date Tue, 4 Aug 2009 11:19:14 -0400

Peter Schober wrote on 2009-08-04:
> Actually the software should not care about certificate expiration at
> all, since this will be handled via (signed) SAML2 metadata.
>   While you might want to set an expiration date on your PGP key (just
> in case you'll ever lose its recovation certificate), with public keys
> embedded in managed metadata this is not an issue.

Rekeying is still an issue, I would anticipate some federations (or should I
just say "registrars"?) requiring periodic key changes, but the main
advantage is we can control that arbitrarily, not decide ahead of time and
start a countdown to a runtime failure.

-- Scott