edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
- Date: Wed, 20 Nov 2019 20:49:43 +0100
Hi,
I was off-line for a moment. In my previous post I got fooled the same
way as Peter into thinking that this was about the federation signing.
I was also in a bit of a hurry and probably should not have spoken at
all. Anyway, I think that there are a few clarifications required about
the formal position on all of this, so let me address them now.
First of all, Peter's remark:
> Since we didn't vote to having that rule there (AFAIR -- that Best
> Practices document is not part of any formal eduGAIN docs?) I don't
> think a vote to get rid of it (if we wanted that) is warranted.
eduGAIN profile states:
"For entities within Federations, eduGAIN supports a series of Best
Current Practice documents that are supported by the eduGAIN Steering
Committee and published on the eduGAIN website [eduGAIN-BCP]. SAML
Metadata Producers SHOULD support all the Best Current Practice
published by eduGAIN within their Federations."
and
"eduGAIN supports a series of Best Current Practice (BCP) documents. All
such documents are approved by the eduGAIN Steering Group before being
published on the eduGAIN website. SAML Metadata Producers SHOULD support
eduGAIN BCP. Entity adherence to best current practice is monitored by
the eduGAIN Operational Team via the eduGAIN Entities Database
[eduGAIN-ED]. Federation Operators SHOULD monitor the eduGAIN Entities
Database on a regular basis."
Therefore the BCP document is supposed to exist and is supposed to be
approved by the SG. The document we point to is something that we want
to start with and it is just a list of the validator warnings.
Secondly, the expired certificate warning in BCP is indeed about the
aggregator signature. We had a discussion about that on the SG list some
time ago and it was agreed that there are no formal grounds for
demanding non-expired certs while there may be common-sense arguments to
the contrary, therefore this point is clearly marked as to be confirmed
by the SG (along with the whole BCP).
Thirdly, where it comes to validator warnings on expired per-entity
certs, it is an oversight on our side that this warning is not listed i
BCP. The justification for this warning is the recommendation in the
InterOp profile as pointed out by Zenon. I believe that the following
discussion on the list is a perfect justification for us giving an
explicit warning on this as well.
Cheers
Tomasz
W dniu 20.11.2019 o 17:02, Peter Schober pisze:
> * Thijs Kinkhorst <thijs.kinkhorst AT surfnet.nl> [2019-11-20 13:33]:
>> Just to provide some counter viewpoint. In our federation 66% of IdPs use
>> ADFS and this hardly gives rise to problems.
> That's why I wrote "A disclaimer message to be relayed by (Full Mesh)
> federations?", fully aware that Hub&Scope federations are in a
> different position here that allows them to compensate for products
> that do not support multi-lateral federations nor everything we've
> built on top.
> -peter
--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln
Uniwersteckie Centrum Informatyczne Information&Communication Technology
Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 tel kom.: +48-693-032-576
Attachment:
smime.p7s
Description: Kryptograficzna sygnatura S/MIME
- Re: [eduGAIN-discuss] reference for expired certificate warning, (continued)
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nicole Harris, 20-Nov-2019
- RE: [eduGAIN-discuss] reference for expired certificate warning, Warda Al Habsi, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- RE: [eduGAIN-discuss] reference for expired certificate warning, Warda Al Habsi, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Leif Johansson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Thijs Kinkhorst, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Tomasz Wolniewicz, 11/20/2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Zenon Mousmoulas, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Guy Halse, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Sv: [eduGAIN-discuss] reference for expired certificate warning, Pål Axelsson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
Archive powered by MHonArc 2.6.19.