edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Guy Halse <guy AT tenet.ac.za>
- To: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
- Cc: <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
- Date: Tue, 19 Nov 2019 15:00:27 +0200
- Organization: Tertiary Education & Research Network of South Africa NPC
Hi On 2019/11/19 12:55, Zenon Mousmoulas
wrote:
I am not
suggesting removing the check/warning. I am just trying to
understand where it comes from, so that we can provide an argument
to federation members who are asking why we ask that they update
their expired certificates.
For me this is a is a simple application of the Robustness Principle
(aka Postel's law).Assuming that some providers check the certificate expiration even when they do not need to, as is suggested by: Anecdotal evidence suggests that MS ADFS, at least some versions, impose such a requirement. Even if only for such interop issues (rather than normative documents), I was hoping someone might be able to point to a more explicit reference.means that if we want to maintain maximum interoperability we should take the conservative approach of ensuring that certificates are not expired, even when this may not strictly be required by the profile (having valid certificates is not prohibited by the profile). In other words, I see the warning as "it is known that this configuration will break interoperability with some providers" rather than a violation of a profile (which would be an error instead). FWIW, https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-certs further suggests your anecdotal evidence is true. As does our own experience with AD FS. And a quick-and-dirty search of our copy of the eduGAIN metadata suggests there are at least 225 AD FS providers. - Guy --
Guy Halse Director Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za Office: +27(21)763-7102 http://www.tenet.ac.za/contact https://orcid.org/0000-0002-9388-8592 |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: [eduGAIN-discuss] reference for expired certificate warning, (continued)
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Thijs Kinkhorst, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Tomasz Wolniewicz, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Zenon Mousmoulas, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Guy Halse, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 21-Nov-2019
- Sv: [eduGAIN-discuss] reference for expired certificate warning, Pål Axelsson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
Archive powered by MHonArc 2.6.19.