Problems changing IDP certificates

Cantor, Scott cantor.2 at osu.edu
Thu Sep 12 13:03:40 EDT 2013


On 9/12/13 12:48 PM, "Byte Flinger" <byteflinger at gmail.com> wrote:

>What do you mean Scott. Without Shibboleth being to read the certificate
>it cannot do anything. I just get Service Unavailable when the SP tries
>to redirect to Shibboleth with a SAML Request.

I'm saying use a SHA-1 cert. Nothing you're trying to "fix" by using a
SHA-256 cert is relevant to the use of the certificate.

Until very recently, there was no usable way to express raw public keys in
metadata or on the wire, so that's one of the main reasons certificates
are used as convenient, but misleading, containers.

I see nothing so far to suggest this isn't a bug in the certificate
parsing library V2 is using, but I don't know if it's a known one and it
certainly should be filed. With no V2 updates planned, I don't know that
it's fixable, especially given that the parsing code is not ours. Also
needs to be added to our unit tests for V3 certainly (and the parsing code
there is different).

-- Scott




More information about the users mailing list