Error creating SP metadata when adding X509 certificate for encryption

[Lipscomb, Gary]

Thanks Scott.

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, 27 February 2018 12:48 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Error creating SP metadata when adding X509 certificate for encryption

> I'm a bit confused. Are you saying even if I had a valid certificate not using the
> PKCS 1.5 in the SP metadata it wouldn't be used.

Certificates do not "use" RSA methods like PKCS 1.5. OAEP and PKCS1.5 are padding methods used when encrypting AES keys with RSA public keys. The certificate has nothing to do with this, it's merely a way of communicating a public key to begin with.

I don't recall exactly what it will do when there's an EncryptionMethod algorithm included that is barred. It may fall back to the OAEP padding method that's not broken or it may give up and assume the SP doesn't support anything else. I thought it did the latter, but you're not getting far enough to tell.

I simply was observing that they don't know what they're doing even more than was already noted and that using that metadata as is might not work even if the certificate weren't broken.

-- Scott

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net