On 6/23/11 9:16 PM, "Sam Hartman" <[log in to unmask]> wrote:
>Note that this is a somewhat more constrained problem than metadata for
>SAML. You only need to provision trust for your IDPs not for anything
>beyond that.
Yes, that's true, but it's simply a subset.
>This is not to describe the RADIUS trust; this the EAP trust.
Yes, I meant the "home" RADIUS server.
>The tricky question seems to be what happens when a user tries to add an
>identity given an issuer name, username and password.
That's where I bump the problem to metadata and assume the issuer name can
be used to obtain trusted information about the issuer.
There are a lot of reasons why people favor the CA model and the ability
to handle key rollover that way. Unfortunately, none of those reasons
include "the code for it actually works well". There's also the revocation
problem.
-- Scott
|