[mdx] TLS on the metadata query server
Tom Scavo
trscavo at gmail.com
Sat Sep 6 11:04:44 PDT 2014
The SAML profile of the Metadata Query Protocol spec should reference
the SAML2 Metadata spec (which it does) and be compatible with section
4.1 of the latter (which it isn't, entirely) and so I'd like to
compare the two and understand if the incompatibilities are
intentional or what.
The SAML2 Metadata spec includes the following requirements in section 4:
"When retrieval requires network transport of the document, the
transport SHOULD be protected with mechanisms providing server
authentication and integrity protection. For example, HTTP-based
resolution SHOULD be protected with TLS/SSL [RFC2246] as amended by
[RFC3546]."
AFAICT, the SAML profile of the MDQ Protocol spec doesn't have
anything to say about server authentication. Should it?
I've always had mixed feelings about TLS on the metadata query server.
In the presence of XML Signature, I think the cost-benefit of TLS is
not justified, but I know that others have strong opinions in the
other direction. Does the profile need to take a stand on TLS one way
or the other?
Tom
More information about the mdx
mailing list