The validUntil attribute in SP metadata: should we require it?

Cantor, Scott cantor.2 at
Fri Sep 13 10:01:05 EDT 2019

On 9/13/19, 9:43 AM, "users on behalf of shibboleth655 at" <users-bounces at on behalf of shibboleth655 at> wrote:

> I would like to hear what other IdP operators do for validUntil: do they 
> require it? encourage it? reasons?

This doesn't get at the trust model you're using. The practical point of validUntil is to manage revocation windows when metadata is provided by a trusted third party. Having a useful validUntil implies frequent, regular re-signing of the metadata by the trust anchor. If that's not happening, there is no point to using it.

-- Scott

More information about the users mailing list