On 6/23/11 9:54 PM, "Sam Hartman" <[log in to unmask]> wrote:
>I definitely don't think we want some sort of global metadata that
>clients need to have in order to find issuers.
BTW, just in case it wasn't clear, "global metadata" != "giant metadata
file". Just as certificates in a PKI make up the metadata in that model,
signed metadata for a specific issuer can be, well, for a specific issuer.
The reason this small change somehow makes a big difference is that in the
former case, commercial CAs who have nothing to do with the problem
somehow get treated as relevant, and the certificates they spew have to be
accounted for. When it's SAML metadata, they are self-evidently irrelevant.
The rest is code bias. I don't care about the fact that certs are ASN.1,
but I do care about the embarrassingly bad features, APIs, and
unpredictable failure modes of the code that uses them. And I work in the
languages that supposedly support the stuff!
-- Scott
|