We do retrieve SAML federation metadata daily, but the metadata feed is signed using a pinned long-term key of the federation manager, so there's no reliance on WebPKI or even TLS. (Not Shibboleth, but it would be…
Timestamps – there's a standard extension for this (see IRCv3 above). ZNC has been using it for maybe a year. Senders – there's absolutely no reason to fake senders, since it was always valid for messages to come from…
We do retrieve SAML federation metadata daily, but the metadata feed is signed using a pinned long-term key of the federation manager, so there's no reliance on WebPKI or even TLS. (Not Shibboleth, but it would be…
Timestamps – there's a standard extension for this (see IRCv3 above). ZNC has been using it for maybe a year. Senders – there's absolutely no reason to fake senders, since it was always valid for messages to come from…