An open discussion list for topics related to the eduGAIN interfederation service.

[Alex Stuart <Alex.Stuart AT jisc.ac.uk>]

Hello all,

Sorry for the delay. Here's some information on the UK federation's practice 
around certificate expiry, and why we have stopped warning about most 
expiring certificates.

> On 19 Nov 2019, at 13:00, Guy Halse <guy AT tenet.ac.za> wrote:
> On 2019/11/19 12:55, Zenon Mousmoulas wrote:
>> I am not suggesting removing the check/warning. I am just trying to 
>> understand where it comes from, so that we can provide an argument to 
>> federation members who are asking why we ask that they update their 
>> expired certificates.
> For me this is a is a simple application of the Robustness Principle (aka 
> Postel's law).
> 
> Assuming that some providers check the certificate expiration even when 
> they do not need to, as is suggested by:
>> Anecdotal evidence suggests that MS ADFS, at least some versions, impose 
>> such a requirement. Even if only for such interop issues (rather than 
>> normative documents), I was hoping someone might be able to point to a 
>> more explicit reference.
>> 
> means that if we want to maintain maximum interoperability we should take 
> the conservative approach of ensuring that certificates are not expired, 
> even when this may not strictly be required by the profile (having valid 
> certificates is not prohibited by the profile).
> 

Yes, it's clear that to ensure maximum interoperability there should be no 
expired certificates in metadata. And even though the UK federation 
recommends that entities' metadata conform to the MetaIOP, we worked towards 
a goal of maximum interoperability:

- We had a weekly Jenkins job which reported on certificates about to expire, 
and helpdesk staff would proactively contact entity owners and assist in the 
rollover.

- Alongside that, we worked with deployers and implementers of software 
products which checked expiry dates, to encourage them to upgrade their 
software and follow MetaIOP. We are now in the position where the vast 
majority of software does follow it.

However, our practice changed at the end of 2019.

- Sometime in 2009, the Shibboleth SP default validity for trust fabric 
certificates generated at install time increased to 10 years.

- From 2019 onwards, these 10-year certificates started to expire, increasing 
the maintenance burden for the helpdesk. We've been registering Shibboleth 
SPs for ever, and we have over 1100 registered today, so over the next few 
years we'd see 2 or 3 expiring certificates per week. I've graphed the expiry 
dates by year at [1].

- The rollover process can lead to unplanned outages, especially for entity 
operators not skilled at certificate rollover.

We have therefore stopped warning about expiring certificates in metadata.

One exception is that we acknowledge that other federations may have a policy 
of accepting only CA-issued certificates. Deployments registered in the UK 
federation may need to follow those policies, so we continue to monitor and 
inform deployers with CA-issued certificates that are close to expiry. This 
is approximately 5% of the total number of certificates we have registered.

Our communication to UK federation members is at 
https://www.ukfederation.org.uk/content/News/2019-10-31-certificate-expiry

Best,
Alex

[1] 
https://www.ukfederation.org.uk/library/uploads/News/certificates-by-year.png

—
Alex Stuart, Principal technical support specialist (UK federation)           
    
alex.stuart AT jisc.ac.uk
UK federation helpdesk: service AT ukfederation.org.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under company number. 05747339, VAT 
number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, 
BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 02881024, 
VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, 
Bristol, BS1 6NB. T 0203 697 5800.  

For more details on how Jisc handles your data see our privacy notice here: 
https://www.jisc.ac.uk/website/privacy-notice