Configuring <md:EntityDescriptor> ID attribute

Ian Young ian at
Mon Feb 4 05:47:25 EST 2013

On 4 Feb 2013, at 10:29, Peter Schober <peter.schober at> wrote:

> I don't think the ID on an invidual entity will cause problems when
> being part of an EntitiesDescriptor (with a different ID).

Usually true, but the ID attributes on EntityDescriptor and EntitiesDescriptor are both "ID" type in the schema, which means that they have to be unique values across *all items of ID type* in the document.  Duplication in any context would mean the document would fail schema validation.

Having said which:

* anyone doing aggregation of any kind (including a federation accepting individual registrations) should know this and strip all incoming IDs to avoid the obvious denial of service attack,

* the auto-generated metadata doesn't have an ID that looks like ID="_c0045678aa1b1e04e85d412f428ea95d2f627255" for no reason; duplication is improbable, to say the least.

The main reason the auto-generated metadata has an ID at all is to hang a signature on.

	-- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : 

More information about the users mailing list