Trouble with signature filter skipping
Guillaume Rousse
guillaume.rousse at renater.fr
Fri Sep 14 10:55:16 EDT 2018
Le 14/09/2018 à 11:25, Guillaume Rousse a écrit :
> the backing file is just a backup, and not a cache, as I
> naively supposed:
>
> If a url attribute is used, the downloaded resource is copied to this
> location. If the software is started and the remote resource is
> unavailable or invalid, the backing file is loaded instead
Actually, it seems quite easy to check the creation timestamp of this
file (if it exists) at startup, and if the age of the file is less than
configured maxRefreshDelay, use it instead of downloading a fresh copy.
This would achieve caching in addition to backup. If such a change is
considered favorable, I'd be ready to contribute it myself.
Also, I've been surprised by the following statement in documentation
about the URL attribute:
The SP does not verify the transport (i.e. it does not verify the X.509
certificate presented by the remote server when HTTPS is the transport).
Is it a design decision, or merely an implementation issue ? Because
that's quite counter-intuitive, and also prevents to exchange signature
checking in favor of metadata source authentication, which doesn't
suffer from CPU usage bottleneck.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180914/0a954fcf/attachment.p7s>
More information about the users
mailing list