MetadataProvider question...

Peter Schober peter.schober at
Fri Oct 25 06:50:09 EDT 2019

* Dennis Fazekas <Dennis_Fazekas at> [2019-10-25 00:32]:
> We have customers that want to setup their IDP software to query us
> on an interval similar to how the SP can query them using the
> MetadataProvider.

They can. Just know that automatically (i.e., blindly) loading and
trusting cryptographic key material over the Internet is essentially
security theater.
Even if your trust in browser-/OS vendor-supplied web PKIX is
unfailing you'd have to closely inspect the whole HTTP + TLS software
stack in use that's downloading the metadata (so this would need to
happen at every IDP that loads your metadata that way) to account for
any and all degradations in trustworthiness of the connection that may
happen at any time (attacks local to the IDP, local to the SP or
somewhere in the middle), i.e., the things a graphical browser would
signal with UI elements or forced interstitial warning pages.

The other reason that warning exists in the metadata is that
automatically/software-generated metadata doesn't allow you to
internal configuration differing from what you publish as metadata.
But that's sometimes needed, e.g. for key rollover where you want the
software to "know" a certain keypair but not yet (or no longer)
"show"/publish it.

We should probably write all this up on a wiki page and put the URL to
that page into that warning message, though.


More information about the users mailing list