(Response to Feedback Item 6) Key hashing algorithm SDP-MD09

[judielaine]

Feedback Item 6: SDP-MD09 - This is down to a software implementation issue, example, Java will not process an MD5 cert. Do you point that out and ask people to not do things that will cause problems, or do you stick to the spec and say people should disregard the cert other than the key material?

1. Suggest adding non-normative text that explains there is software out there that can’t not process the key, and you create interop problems with that software. SDP-MD06 has text about this.
2. This should be a ‘SHOULD NOT’ - ignore cert contents beyond the key material.
3. Look at SDP-MD06 as an example - it mixes normative and non-normative text in a way that would help with MD09.
4. Could merge 09 and 06, move the text from 09 into 06.
5. Making this a list of non-musts (shoulds/should-nots)
6. Should we continue to make this concession, or should we strike out the wishy-washy support concession? We have struck out wishy-washy-ness almost everywhere else?
7. Scott suggests just making this language non-normative, italicized it. ‘You may run into issues with noncompliant software and cert content beyond the key’, roll that into MD-06. By not ignoring the cert material, you are violating SAML [MD-IOP]
8. “Any such software is noncompliant with the specification”