updating SP's signing cert in metadata

Tom Scavo trscavo at gmail.com
Fri Oct 13 11:49:41 EDT 2017

On Fri, Oct 13, 2017 at 11:26 AM, John Dennis <jdennis at redhat.com> wrote:
> On 10/13/2017 11:18 AM, Tom Scavo wrote:
>> It's not that simple. A KeyDescriptor with use="signing" is used for
>> authentication at the TLS layer as well.
> That's not my understanding. Keys used in metadata are independent of the
> transport layer.

On the front channel, that is correct. However, a "signing"
certificate in metadata is used for both XML Signature and TLS
back-channel authentication. For example, artifact resolution and
attribute query require some kind of client authentication. Usually
that is TLS client authentication.

See the "Keys and Certificates" section of the SecurityAndNetworking
topic in the wiki: https://wiki.shibboleth.net/confluence/x/VoEOAQ


More information about the users mailing list