Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] eduGAIN validator

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN validator


Chronological Thread 
  • From: Brook Schofield <schofield AT terena.org>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] eduGAIN validator
  • Date: Fri, 25 Oct 2013 16:50:47 +0200
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

It looks like NIST conformance (at least to part of the spec) is becoming a "defacto" standard, especially if UKf will only be interoperating with >=2048 key length (and other federations will surely follow this approach).

Hopefully this falls into "best practice" which defines the "clear rules" including having this listed in the validator. Interoperability is the goal so we need to raise the bar to ensure that as much of eduGAIN "works" in practice. If there is a need to be specific about this - it is certainly something that can be clarified in an update to the metadata profile.

Thanks Peter for identifying the "size" of the problem (which currently isn't significant) and hopefully it can be rectified so that there isn't any loss of service.

-Brook


On 25 October 2013 16:30, Peter Schober <peter.schober AT univie.ac.at> wrote:
* Ian Young <ian AT iay.org.uk> [2013-10-25 15:46]:
> On 25 Oct 2013, at 12:10, Peter Schober <peter.schober AT univie.ac.at> wrote:
> > Currently there are only 5 out of 222 entities with such keys, so
> > changes to those 5 entities within the remaining months of the year
> > seem very much doable
>
> Only if there is some pressure applied, I’d expect. People — even
> people you’d expect to take this kind of thing seriously — often
> find it hard to prioritise something that doesn’t actually stop
> their service from working. I brought this issue up with at least
> one of the entity deployers some months ago, with no result.

I've  tickets with the 2 SPs (of those 5 entities) and I'm
optimistic this will be handled in time in this case.

The 3 remaining IdPs with 1024 bit keys are
https://idp.uniroma3.it/idp/shibboleth
https://login.ntua.gr/idp/shibboleth
https://aai.sztaki.hu/idp

Maybe colleagues from IDEM, GRNET and eduID.hu respectively will want
to help those institutions perform a key rollover.

But certainly for existing, possibly old entities from member
federations coming into the aggregate having clear rules in place
would be preferrable.
-peter




--
===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488    Fax +31 20 530 4499    Mob +31 65 155 3991
www.terena.org



Archive powered by MHonArc 2.6.19.

Top of Page