Shibboleth Identity Provider Security Advisory [4 October 2017]
cantor.2 at osu.edu
Thu Oct 5 11:21:13 EDT 2017
> Sure, which is why I wouldn't want to have to instruct metadata
> consumers to also manually configure an extra TLS trust anchor only
> because the *signed* metadata we're publishing is /also/ available via
> HTTPS. Mostly because they might "forget" to configure our real trust
> anchor -- the signature validation certificate -- after having
> configured TLS trust anchor.
I would be against any model where you had to configure the TLS layer only to just ignore it in favor of the signature, so I don't see that happening but we need to be aware of it.
OTOH, I'm not sure I would be against us wiring in the HTTP client to require something be configured *unless* the disegardTLSWhatever flag was also set. If the TLS layer isn't being ignored I would probably want us to require the trust settings be explicit.
More information about the users