An open discussion list for topics related to the eduGAIN interfederation service.

[Guy Halse <guy AT tenet.ac.za>]

Hi

On 2019/11/19 12:55, Zenon Mousmoulas wrote:

I am not suggesting removing the check/warning. I am just trying to understand where it comes from, so that we can provide an argument to federation members who are asking why we ask that they update their expired certificates. For me this is a is a simple application of the Robustness Principle (aka Postel's law).

Assuming that some providers check the certificate expiration even when they do not need to, as is suggested by:

Anecdotal evidence suggests that MS ADFS, at least some versions, impose such a requirement. Even if only for such interop issues (rather than normative documents), I was hoping someone might be able to point to a more explicit reference.

means that if we want to maintain maximum interoperability we should take the conservative approach of ensuring that certificates are not expired, even when this may not strictly be required by the profile (having valid certificates is not prohibited by the profile).

In other words, I see the warning as "it is known that this configuration will break interoperability with some providers" rather than a violation of a profile (which would be an error instead).

FWIW, https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-certs further suggests your anecdotal evidence is true. As does our own experience with AD FS. And a quick-and-dirty search of our copy of the eduGAIN metadata suggests there are at least 225 AD FS providers.

- Guy

--
Guy Halse
Director Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature