shibd unable to verify signature when metadata is cached

Nick Roy nroy at internet2.edu
Wed Apr 13 10:27:03 EDT 2016


Thanks Scott,

I think the difference between today and six months ago is that InCommon is now republishing eduGAIN metadata.  Even with the best everyone can do, things like this are just statistically more likely to happen, so there is, I think, a larger need to address these kinds of issues in a quicker way.

Thank you,

Nick


On 4/12/16, 5:05 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

>On 4/12/16, 5:52 PM, "users on behalf of Nick Roy" <users-bounces at shibboleth.net on behalf of nroy at internet2.edu> wrote:
>
>
>
>>Hi - the InCommon TAC discussed this issue at a recent call, and it was recommended that I post here to advocate for a resolution to this issue as soon as can be reasonably undertaken.  Since much of the InCommon Service Provider installed base uses Shibboleth SP, this is a critical issue for our deployers.
>
>Well, I kind of disputed that, so let's talk about it.
>
>In 15 years, we've had two cases of this happening in the span of a few days. Very coincidental, but ok.
>
>In turn, nobody running an SP would have noticed (that includes me). People *restarting* an SP would notice. And the workaround was simple and quick.
>
>I didn't see this as a bug that needed to be fixed sooner than the normal course of events (likely several months, perhaps longer, but largely driven by security releases of other libraries). So far, nobody else raised a concern over that timeline, which was implicit in my accepting a bug report but not acting on it.
>
>To put it in perspective, we're talking about roughly a half month of work to do a release, probably longer as it turns out, because we determined the actual bug is in another library, and getting *that* fixed and released will take time on top of it. That's not an insignificant chunk of time, and likely is enough to push the schedule of the IdP forward.
>
>-- Scott
>
>-- 
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list