Trouble with signature filter skipping

Guillaume Rousse guillaume.rousse at
Fri Sep 14 10:55:16 EDT 2018

Le 14/09/2018 à 11:25, Guillaume Rousse a écrit :
> the backing file is just a backup, and not a cache, as I 
> naively supposed:
> If a url attribute is used, the downloaded resource is copied to this 
> location. If the software is started and the remote resource is 
> unavailable or invalid, the backing file is loaded instead
Actually, it seems quite easy to check the creation timestamp of this 
file (if it exists) at startup, and if the age of the file is less than 
configured maxRefreshDelay, use it instead of downloading a fresh copy. 
This would achieve caching in addition to backup. If such a change is 
considered favorable, I'd be ready to contribute it myself.

Also, I've been surprised by the following statement in documentation 
about the URL attribute:
The SP does not verify the transport (i.e. it does not verify the X.509 
certificate presented by the remote server when HTTPS is the transport).

Is it a design decision, or merely an implementation issue ? Because 
that's quite counter-intuitive, and also prevents to exchange signature 
checking in favor of metadata source authentication, which doesn't 
suffer from CPU usage bottleneck.

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list