Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] reference for expired certificate warning

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] reference for expired certificate warning


Chronological Thread 
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • Cc: Tomasz Wolniewicz <twoln AT umk.pl>, edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
  • Date: Tue, 19 Nov 2019 12:17:54 +0100
  • Organization: ACOnet

* Zenon Mousmoulas <zmousm AT noc.grnet.gr> [2019-11-19 11:55]:
> I am not suggesting removing the check/warning. I am just trying to
> understand where it comes from, so that we can provide an argument
> to federation members who are asking why we ask that they update
> their expired certificates.

Sorry, I was under the (wrong) impression you were asking about some
eduGAIN component warning about expired *signing* *certificates* from
eduGAIN member federations -- because that's what item 1 on the page
you referenced is about:
https://wiki.geant.org/display/eduGAIN/Best+Current+Practice

So I'll reverse my previous statement (that SAMLMetaIOP does not apply
to your question) and now state that the /above/ does not apply to
your question, but SAMLMetaIOP fully does.

You're right that expired certificates maybe have been a concern in
the past, cf. the 6th bullet in section "Metadata" on the page:
https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop#MicrosoftInterop-ADFSV2
But that page hasn't been updated for years (and there's also no
supported Shibboleth software left that would be maintained in the
"SHIB2" space of that wiki, so it's purely of historical relevance).
Chris P. et al. will know all about the current state of affairs
trying to interop with MS-ADFS, though.

Other than that I guess referring to RFC2119 is all one can do if you
wanted to know just how weak or strong that RECOMMENDATION from
SAMLMetaIOP about unexpired certs is.

I /certainly/ have expired certificates in entities' metadata and as
long as noone complains about systems unable to interop with those
(i.e., unable to confirm with SAMLMetaIOP, which actually is a formal
requirement from our technical profile, but that doesn't help with
entities registered in other federations, for example) I have no
intention of forcing a key rollover.
Incidently none of these we currently publish to eduGAIN, which is why
I haven't spent any time thinking about that.

-peter



Archive powered by MHonArc 2.6.19.

Top of Page