The validUntil attribute in SP metadata: should we require it?

Wessel, Keith kwessel at illinois.edu
Fri Sep 13 10:03:28 EDT 2019 

Yes, remove it. Vendors who put that in expect you to do an automatic HTTP refresh of their metadata, and since it isn't signed, that's a DNS poisoning attack waiting to happen. You're obviously not going to manually download the metadata once a week or month or whatever to keep it valid, and it's not safe to automatically fetch remote unsigned metadata. Only option left is to delete it.

This is an opportunity, of course, to make other edits to the metadata, as well, such as things that you can control via metadata rather than with relying party config changes.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Mak, Steve
Sent: Friday, September 13, 2019 8:50 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: The validUntil attribute in SP metadata: should we require it?

I almost always delete the validUntil attribute from the sp metadata that I can edit.

My reasoning is this: 
For SPs that want to use a short-lived validUntil want to pressure me into doing a HTTP metadata config or they don't realize it's in there.  We don't accept HTTP metadata, we only do localDynamic or InCommon.  If a short-lived value slips through, then they call us to ask as to why the IdP is rejecting their AuthnRequests a week later.

For SPs that use long-lived validUntils, such as a ten year period, I sometimes leave them in there, but I tend not to because I figure ten years from now when this stops working, no one will know who to point the finger at or might not realize how to fix it.  These people are setting a ten year bomb to explode for no good reason.

On 9/13/19, 9:43 AM, "users on behalf of shibboleth655 at lewenberg.com" <users-bounces at shibboleth.net on behalf of shibboleth655 at lewenberg.com> wrote:

We run a local federation for on-campus SPs. These SPs are both locally-run applications as well as third-party cloud applications. Some of the submitted SP metadata has the validUntil attribute, most does not.

Many (most?) of our SPs would rather omit it entirely as it is just one more thing that can get in the way of their application working.

When an SP operator asks why they should include the validUntil attribute I say that it if they don't have their own reasons for using it, it _does_ force life-cycle management.

I would like to hear what other IdP operators do for validUntil: do they require it? encourage it? reasons?


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list