Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] reference for expired certificate warning

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] reference for expired certificate warning


Chronological Thread 
  • From: Nick Roy <nroy AT internet2.edu>
  • To: Peter Schober <peter.schober AT univie.ac.at>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
  • Date: Thu, 21 Nov 2019 16:26:07 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QEW7YSdmJM4zI9536XtD+3sjxnLqWupOXNxaNF3fLTU=; b=JnHHpQ6vgzGdkFrgsaHHH8ggWwnZFRCA8Xjp9PizwnOfhhH2alXnyCCONapgbxf7G/8kL8XzU4ueyIc56+VnaC/nwpRtGxwKeXUn88iRNyt1fJTlB3SDiXYf90Gm7p/TBb6sLHBOFZCfkGWUbunq9y1NMkXZLxWp492mAXSoJtpFLAtzkyPZJxiwDovRu584+VeKar5s75NfpR4OWnXhQ+/BeGUzV3XXrxB2BJ9avoBIlbFH8YKOYm8iswWUqOgFsJCNWCMboWxZND+m2qx77UTKpTOYeYaPtawiHPJ6OWTUp86YZ0EvqJGkY1+BwJygy/fLyauCXuZJVu7+runaqA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NG34HGhzYIC0tTQXp7QAv3BLTBgRvsWRZ/YxfMRkGnluoKgrT6pyhDRszUWbE+QYELpN22zC2HzVMVnyhV8SPhixfx4+AGxAjVnDWcZlC/NBPh6Hw6Mq0y5sqQI06TtnRYouVJ3mCCSXmR+UJeWV76XNbbwaEpHu7PB//Y3PQY2rUfBPwxdXd/MUpTDR8AtQzgLJvAg/gWwktlk6svemHSpIRcb7XXro4mFfsfLI1+qeuOAoDI8CpGvrRdNfcVYw2G4ktV2N8WvFTRhT5kjdTnoc/9HUU4XJtTPDrqsKmQULES6JlYAJSClXhXYQ2V3d8VtKwCrulRTReYElPZh0eg==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;

Peter has said this more eloquently and precisely than I ever could. I agree
fully with what he’s said.

Nick

On 21 Nov 2019, at 5:21, Peter Schober wrote:

> * Guy Halse <guy AT tenet.ac.za> [2019-11-21 09:26]:
>> Thus from my perspective, ADFS is something I have to learn to live
>> with if I want R&E federation to succeed here. Given the choice
>> between living with ADFS's quirks and abandoning the idea of getting
>> R&E federation working, I'll choose the former.
>
> At least in our community they'd rather follow our documentation to
> get a system integrating with the global community, that's
> significantly more powerful while also being lower in maintenance
> (because it's maintenance of the software/system only, not of each and
> every trust relationship), even if that means having to deal with
> software they haven't used before. YMMV.
>
>> What that probably boils down to is that Microsoft are good at
>> marketing; we are not.
>
> Make that "vendor lock-in", not (merely) marketing: From the PC OS
> (which they still own[1]) with its broken clients ever expanding to
> your data center to hosted servers and services.
>
> But that's not even the point. This is: If our offerings
> (multi-lateral federation) are not simpler and more secure and better
> scaling than the alternatives (manual, bilateral trust relationships)
> we have nothing to offer, really.
>
> (Not that I've personally ever met anyone who preferred establishing
> and managing trust relationships manually even if that meant keeping
> their pseudo-familar GUI software, but again YMMV.)
>
> As is the case so often the problem is that there's no rationality
> within large organisations -- ultimately down to the establishment of
> trust via mutual automatic importing plain text files ("metadata")
> over the Internet and blindly trusting the content (endpoints,
> cryptographic keys) the same way as you'd be trusting your OS
> vendor-supplied CA trust store. And the admins doing those
> integrations usually have no idea what makes one integration secure
> and another insecure. Broken and/or misleading vendor documentation
> doesn't make this better either.
> I.e., in a general state of confusion, security theatre and bad
> implementations having actually secure infrastructures with non-broken
> software is outside the norm. And "No one ever got fired for buying
> from [big vendor]." aka doing what the rest is doing.
>
> -peter
>
> [1] https://en.wikipedia.org/wiki/Usage_share_of_operating_systems

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page