On 6/23/11 2:24 PM, "Sam Hartman" <[log in to unmask]> wrote:
>This is an area where you really need to take the time to actually
>understand how this information is used and we all need to have a
>discussion about what we need to support.
I won't pretend to have done more than a little thinking about this, but
my inclination with ECP has been (naturally) to think in terms of SAML's
existing mechanisms. I don't think it's unreasonable in that case to
consider using signed metadata as the basis of IdP trust, and having done
that, the problem becomes one of metadata trust, which is a different
scaling proposition with respect to the PKI in the client.
Whether something like that works for RADIUS, I couldn't say, but since I
believe it's essentially "the thing that should be done in all clients
instead of PKIX", I guess I think it does.
So basically, I think naming constraints are a mess, cert validation is a
nightmare, and comparing the key (*not* the cert) is the way to go. How to
provision the keys is then the problem to solve, and that's what
federations are for.
-- Scott
|