scantor
commented
5 years ago My proposed replacement for MD02:
[SDP-MD02]:: Consumption of metadata MUST be contingent on verification of a signature (STRONGLY RECOMMENDED) or TLS server certificate. It MUST be possible to communicate changes to the keys within the metadata without also changing the key used to establish trust in the metadata.
In most cases, this requirement implies that a key communicated via metadata will not also be used to sign and verify the same metadata, but it is possible to construct scenarios in which this may happen if metadata verification relies on a chain of certificates signed by an ultimately trusted Certificate Authority. The details of such an approach are beyond the scope of this document.
nckroy
Issue 2: https://kantarainitiative.org/confluence/display/fiwg/SAML2int+v2.0 Scott already has a comment Scott explains other ecosystems may not have the issue, eg federated PKI or some other trust anchor, completely trusted CAs… There are other ways to do this but not relevant to R&E feds. Scott says it’s hard to explain why the requirement is true in practice even if not in theory. Can we have a nuanced response to Rainer? We do have italicised comments …. MUST NOT is “false” unless … we need to explain the metadata verification…. NO we do need to change this to be correct. We should give examples that tie back to different ways that trust can be verified. We can say must not if we preclude other ways. SWITCH might do something different? Some R&E feds do use different patterns, but it’s not the same issue as Reiner is bringing up. Since we are trying to avoid bringing up federations, we don’t want to preclude. Let’s focus on a positive requirement -last sentence in italics. We’ll need to turn it into a technical requirement AI: Scott will take this approach