2009/3/24 David Wallom <david.wallom@oerc.ox.ac.uk>:
Looking through this though I would assert that the limitations to just long lived X509 seems not in keeping with for example the ongoing discussions about trusting Shibboleth generated certs etc??
That's how I read it at first but Etienne's writeup (if that's what you're referring to) is restricted to proxies. Clearly(?) a SLC is a PKC as well.
I have just been speaking to the security person from our NREN who specifically mentioned that Shib tokens across national boundaries is becoming essential and will be subject to an IGTF type body pretty soon.
They are currently recommending using self signed certificates for the SPs as trust anchors. I hear slightly different messages from within the NREN in question but they are indicating that SAML assertions are "moving to" being signed by such trust anchors. I think I referred to it in an earlier mail to PGI-WG. --jens