[Concordia] A wiki page for our IdP Discovery Problem educational materials

[Josh Howlett]

Hi Mikaël,

> > Discovery and trust path establishment are orthogonal. As 
> an analogy, you can use TLS to estalish trust with a peer 
> whose network address you have discovered using insecure DNS.
> >   
> In fact, in the process I described, the both are linked... 
> The discovery of the authority is the same as the discovery 
> of the trust path, and so, how to establish an indirect trust 
> link. As an analogy, TLS gives you signatures but does not 
> say how you can trust a signature.

As you say, they *can* be linked but they don't *need* to be linked. I'm inclined to think that leaving them unlinked provides better agility (ie. to use different combinations of trust and discovery mechanisms).

> In a federation, maybe you have a common PKI, a white list of 
> trusted signatures, and if you rely on indirect trust, you 
> can trust the trusted parties of your trusted parties.
> > IIRC, eduGAIN (like the Shibboleth profile) does not 
> consider discovery to be in-scope.
> >   
> I do not know technical details of eduGAIN but I found this in the 
> eduGAIN deliverable DJ5.2.2:
> "Home Location Service, in charge of *locating the 
> appropriate identity 
> repository at the home domain*"

I am fairly that sure the HLS is part of the metadata acquisition process. In the current implementation, this process is bootstrapped by the user claiming his affiliation through a WFAYF (What Federation Are You From) or suchlike. That is how eduGAIN currently treats the discovery problem.

If you would like an authorative answer from one of the developers, I'd be happy to ask them and report back.

best regards, josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG