Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As specified by the [eduGAIN-Profile] in order to assure metadata integrity and originality, each federation metadata feed MUST be signed as specified in [SAMLMeta]. This signature made with the key matching the one supplied to the eduGAIN OT is the only element on which trust is based. In particular MDS does not use trust that might be derived from an https endpoint details. (the previous sentence sounds strange)

Metadata signature verification is done against the public key alone. If the public key for the federation metadata feed channel is supplied in the form of an X.509 certificate, other aspects of the certificate such as its expiry date do not form part of signature verification. This approach is borrowed from the SAML metadata interoperability profile [SAMLMetaIoP]. In particular an expired certificate will still be used for the verification purpose.

...