updating SP's signing cert in metadata
Tom Scavo
trscavo at gmail.com
Fri Oct 13 11:49:41 EDT 2017
On Fri, Oct 13, 2017 at 11:26 AM, John Dennis <jdennis at redhat.com> wrote:
> On 10/13/2017 11:18 AM, Tom Scavo wrote:
>>
>> It's not that simple. A KeyDescriptor with use="signing" is used for
>> authentication at the TLS layer as well.
>
> That's not my understanding. Keys used in metadata are independent of the
> transport layer.
On the front channel, that is correct. However, a "signing"
certificate in metadata is used for both XML Signature and TLS
back-channel authentication. For example, artifact resolution and
attribute query require some kind of client authentication. Usually
that is TLS client authentication.
See the "Keys and Certificates" section of the SecurityAndNetworking
topic in the wiki: https://wiki.shibboleth.net/confluence/x/VoEOAQ
Tom
More information about the users
mailing list