mac check in GCM failed Errors
Ullfig, Roberto Alfredo
rullfig at uic.edu
Mon Mar 12 11:28:17 EDT 2018
So what would the end-user see? I've seen thousands of these and not one user ticket about an issue.
Roberto Ullfig - rullfig at uic.edu
IT Technical Associate
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, March 12, 2018 8:27 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: mac check in GCM failed Errors
> So there's no solution?
You have data in the wild under a key you don't have, so you either provide the key or wait for all of that data in the wild to be fed back and fail to decrypt and get replaced. There is no hard time limit within which somebody can't come back years later with something that can't be decrypted, even though it's long since expired. If the key history is 30 days, any data encrypted over 30 days ago will fail instead of just being detected as expired. It's just how it works. It could be improved I suppose by storing the expiration in the clear as a hint to avoid needless decryption attempts and log noise, but that isn't what I did.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users