IdP Certificate Validity checking
Mark Cairney
Mark.Cairney at ed.ac.uk
Thu Dec 3 15:19:20 UTC 2020
Thanks,
That's what I thought was the case but thought it best to check first.
For info the appropriate paragraph from the standard is:
"
In the case of an X.509 certificate, there are no requirements as to the
content of the certificate apart from the requirement that it contain
the appropriate public key. Specifically, the certificate may be
expired, not yet valid, carry critical or non-critical extensions or
usage flags, and contain any subject or issuer. The use of the
certificate structure is merely a matter of notational convenience to
communicate a key and has no semantics in this profile apart from that.
However, it is RECOMMENDED that certificates be unexpired.
"
I'll feed this back but also point out that other IdP implementations
may behave differently.
Kind regards,
Mark
On 03/12/2020 14:16, Cantor, Scott wrote:
>> Does the IdP do any validity checking of certificates or does it simply ignore the
>> expiry data?
> No. What we do is exactly what's defined in the standard.
>
> https://wiki.oasis-open.org/security/SAML2MetadataIOP
>
> Unless you only care about Shibboleth IdPs, that's not going to matter much.
>
> -- Scott
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201203/f260060a/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20201203/f260060a/attachment.ksh>
More information about the users
mailing list