Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata


Chronological Thread 
  • From: Dick Visser <dick.visser AT geant.org>
  • To: Peter Schober <peter.schober AT univie.ac.at>
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata
  • Date: Wed, 18 Sep 2019 11:48:34 +0200

This could be a nice addition for @Rhys Smith 's script that generates
https://www.ukfederation.org.uk/fed/edugain-import-log-with-diff.txt.
If a signing certificate is issued by Let's Encrypt, then it is highly
likely that it will be automagically replaced at regular intervals,
thereby breaking things.
Although technically correct, IMHO this should trigger an error.

I've noticed this issue as well with SPs that connect to the GEANT SAML proxy.
SP operators apparently "need a certificate", and when they find one
that is used for the web server, it's just too tempting to not use it.

DIck


On Wed, 18 Sep 2019 at 11:03, Peter Schober <peter.schober AT univie.ac.at>
wrote:
>
> * Zenon Mousmoulas <zmousm AT noc.grnet.gr> [2019-09-18 08:09]:
> > I suppose this signature should have been stripped at some point.
>
> FWIW, that Signature never made it into our aggregates since I run
> (a slightly modified version of) pyff's tidy.xsl script on all imports:
> https://github.com/IdentityPython/pyFF/blob/master/src/pyff/xslt/tidy.xsl
>
> Thanks, @leifj!
>
> (My own modification relates to the old WS-* XSD schema validation issue,
> https://lists.geant.org/sympa/arc/edugain-discuss/2014-11/msg00031.html
> I'll send a PR for that to get that one-line addition included upstream.)
>
> -peter



--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT



Archive powered by MHonArc 2.6.19.

Top of Page