IdP metadata based on multiple signing certificates

Cantor, Scott cantor.2 at
Mon Aug 13 13:07:39 EDT 2012

> At the URL below, I've read about using multiple signing certificates as part of
> the IdP metadata:

I don't know what that has to do with the multiple certificate question. It should document what that means, but it means more or less the same thing it means for the other trust engine we have.

> Is this usable in a situation where a "personal" IdP is used on a local machine,
> which uses an X.509 certificate signed by a single root certificate? This means
> many "dynamic" IdP certificates from the point of view of the SP, as there
> will be many such "personal" IdPs, all of which must be trusted by the SP.

I think you're saying that the IdP(s) will be using a boatload of different certificates that all come and go randomly but have a common trust anchor. It is certainly the case that doing that with the PKIX engine is more likely to work, but only if you have a lot of complex certificate naming issues worked out. Something's got to be in the metadata to identify the credential, be it a name in the PKIX case, or the key on the more recommended case. So in the end it usually ends up that you're better off avoiding PKIX. It never solves the problem you think it does except by creating security behaviors that are hard to understand.

-- Scott

More information about the users mailing list