shibd unable to verify signature when metadata is cached

[Cantor, Scott]

On 4/12/16, 5:52 PM, "users on behalf of Nick Roy" <users-bounces at shibboleth.net on behalf of nroy at internet2.edu> wrote:



>Hi - the InCommon TAC discussed this issue at a recent call, and it was recommended that I post here to advocate for a resolution to this issue as soon as can be reasonably undertaken.  Since much of the InCommon Service Provider installed base uses Shibboleth SP, this is a critical issue for our deployers.

Well, I kind of disputed that, so let's talk about it.

In 15 years, we've had two cases of this happening in the span of a few days. Very coincidental, but ok.

In turn, nobody running an SP would have noticed (that includes me). People *restarting* an SP would notice. And the workaround was simple and quick.

I didn't see this as a bug that needed to be fixed sooner than the normal course of events (likely several months, perhaps longer, but largely driven by security releases of other libraries). So far, nobody else raised a concern over that timeline, which was implicit in my accepting a bug report but not acting on it.

To put it in perspective, we're talking about roughly a half month of work to do a release, probably longer as it turns out, because we determined the actual bug is in another library, and getting *that* fixed and released will take time on top of it. That's not an insignificant chunk of time, and likely is enough to push the schedule of the IdP forward.

-- Scott