Support for X509SubjectName Name ID

Cantor, Scott cantor.2 at
Thu May 14 13:59:44 UTC 2020

On 5/14/20, 9:49 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

> If you take on their metadata though then you're responsible for it. certificate expirations, security issues, contact
> information, etc ....

None of which is generally accurate, or trustworthy. Vendors rarely roll a key properly, they'll change it locally before it ever shows up in a metadata file, or at the same time, which is going to break anyway. Half the time they put the wrong key in the metadata they send out to people when they inform people of key changes, I've had that happen twice within the last couple of months.

I've never regretted my decision to impose that rule, and it's saved me far more trouble than it's created extra work.

In any event, adding it to the metadata doesn't require owning it, you can use a NameIDFormat filter.

-- Scott

More information about the users mailing list