Metadata security best practices and understanding

Byte Flinger byteflinger at gmail.com
Mon Jan 27 12:42:38 EST 2014


Hi

We have a Shibboleth IDP which currently talks to one single SP and we are
using an out-of-band metadata exchange process.

We are concerned with the speed of revoking such metadata should something
occur with the signing certificate. I am aware that it is possible to have
a 3rd party providing signed metadata files however in such a small setup
of 1 IDP to 1 SP (At the moment anyway) it feels that setting something
like that up won't allow for any gain on the matter as someone will still
need to perform the manual revocation of the metadata file on the metadata
provider side and also I don't see any added value in terms of security of
having such a 3rd party provider compared to an out-of-band solution like
we already do.

Am I correct in this? Am I missing something? I understand that something
like OCSP check/revocation is not possible with out-of-the-box Shibboleth
IDP so how would one tackel the issue of quickly revoking a certificate
should something happen?

I am thinking that maybe if the side running the SP would setup such a
metadata provider so they can easily and quickly revoke their own metadata
supplied to our IDP. If that would be the case, is there any software out
there to do this? Could something like ADFS (Being run in SP side) already
support this without too much extra effort?

Any input on the matter is welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140127/26b16f56/attachment.html 


More information about the users mailing list