An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Peter Schober <peter.schober AT univie.ac.at> [2019-09-18 08:26]:
> * Zenon Mousmoulas <zmousm AT noc.grnet.gr> [2019-09-18 08:09]:
> > I suppose this signature should have been stripped at some point.
> 
> * All signatures need be able to be verified by all metadata consumers.
>   So if that signature is NOT by the federation operator (but by an
>   entity owner) this signature must be removed by the federation
>   operator before publishing.

In this case the cert used to sign was the entity webserver's
HTTPS/TLS certificate (i.e., a commercial PKIX cert via GÉANT TCS).
So yes, that signature needs to be removed by its registrar, RoEduNet.

@OT: While I cannot reproduce Wolfgang's schema validation problem
(XmlSecTool verfies the eduGAIN MDS's aggregate just fine here, as per
the feed I got at 05:55 UTC) if such an entity indeed causes breakage
in other federations we should do something about that. If nothing
else than pressuring RoEduNet into removing the signature or the whole
entity from their upstream feed.
Still it would be good if the OT could step in in emergency cases and
filter out the entity in case the registrar publishing the offending
entry isn't available or cooperative.

-peter