mac check in GCM failed Errors

Ullfig, Roberto Alfredo rullfig at
Mon Mar 12 11:28:17 EDT 2018

So what would the end-user see? I've seen thousands of these and not one user ticket about an issue.

Roberto Ullfig - rullfig at
IT Technical Associate
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Monday, March 12, 2018 8:27 AM
To: Shib Users <users at>
Subject: RE: mac check in GCM failed Errors

> So there's no solution?

You have data in the wild under a key you don't have, so you either provide the key or wait for all of that data in the wild to be fed back and fail to decrypt and get replaced. There is no hard time limit within which somebody can't come back years later with something that can't be decrypted, even though it's long since expired. If the key history is 30 days, any data encrypted over 30 days ago will fail instead of just being detected as expired. It's just how it works. It could be improved I suppose by storing the expiration in the clear as a hint to avoid needless decryption attempts and log noise, but that isn't what I did.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list