Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] reference for expired certificate warning

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] reference for expired certificate warning


Chronological Thread 
  • From: Alex Stuart <Alex.Stuart AT jisc.ac.uk>
  • To: Guy Halse <guy AT tenet.ac.za>
  • Cc: Zenon Mousmoulas <zmousm AT noc.grnet.gr>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
  • Date: Tue, 31 Mar 2020 09:20:58 +0000
  • Accept-language: en-GB, en-US

Hello all,

Sorry for the delay. Here's some information on the UK federation's practice
around certificate expiry, and why we have stopped warning about most
expiring certificates.

> On 19 Nov 2019, at 13:00, Guy Halse <guy AT tenet.ac.za> wrote:
> On 2019/11/19 12:55, Zenon Mousmoulas wrote:
>> I am not suggesting removing the check/warning. I am just trying to
>> understand where it comes from, so that we can provide an argument to
>> federation members who are asking why we ask that they update their
>> expired certificates.
> For me this is a is a simple application of the Robustness Principle (aka
> Postel's law).
>
> Assuming that some providers check the certificate expiration even when
> they do not need to, as is suggested by:
>> Anecdotal evidence suggests that MS ADFS, at least some versions, impose
>> such a requirement. Even if only for such interop issues (rather than
>> normative documents), I was hoping someone might be able to point to a
>> more explicit reference.
>>
> means that if we want to maintain maximum interoperability we should take
> the conservative approach of ensuring that certificates are not expired,
> even when this may not strictly be required by the profile (having valid
> certificates is not prohibited by the profile).
>

Yes, it's clear that to ensure maximum interoperability there should be no
expired certificates in metadata. And even though the UK federation
recommends that entities' metadata conform to the MetaIOP, we worked towards
a goal of maximum interoperability:

- We had a weekly Jenkins job which reported on certificates about to expire,
and helpdesk staff would proactively contact entity owners and assist in the
rollover.

- Alongside that, we worked with deployers and implementers of software
products which checked expiry dates, to encourage them to upgrade their
software and follow MetaIOP. We are now in the position where the vast
majority of software does follow it.

However, our practice changed at the end of 2019.

- Sometime in 2009, the Shibboleth SP default validity for trust fabric
certificates generated at install time increased to 10 years.

- From 2019 onwards, these 10-year certificates started to expire, increasing
the maintenance burden for the helpdesk. We've been registering Shibboleth
SPs for ever, and we have over 1100 registered today, so over the next few
years we'd see 2 or 3 expiring certificates per week. I've graphed the expiry
dates by year at [1].

- The rollover process can lead to unplanned outages, especially for entity
operators not skilled at certificate rollover.

We have therefore stopped warning about expiring certificates in metadata.

One exception is that we acknowledge that other federations may have a policy
of accepting only CA-issued certificates. Deployments registered in the UK
federation may need to follow those policies, so we continue to monitor and
inform deployers with CA-issued certificates that are close to expiry. This
is approximately 5% of the total number of certificates we have registered.

Our communication to UK federation members is at
https://www.ukfederation.org.uk/content/News/2019-10-31-certificate-expiry

Best,
Alex

[1]
https://www.ukfederation.org.uk/library/uploads/News/certificates-by-year.png


Alex Stuart, Principal technical support specialist (UK federation)

alex.stuart AT jisc.ac.uk
UK federation helpdesk: service AT ukfederation.org.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under company number. 05747339, VAT
number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol,
BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited
by guarantee which is registered in England under company number 02881024,
VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane,
Bristol, BS1 6NB. T 0203 697 5800.

For more details on how Jisc handles your data see our privacy notice here:
https://www.jisc.ac.uk/website/privacy-notice


  • Re: [eduGAIN-discuss] reference for expired certificate warning, Alex Stuart, 03/31/2020

Archive powered by MHonArc 2.6.19.

Top of Page