IdP Certificate Validity checking
IAM David Bantz
dabantz at alaska.edu
Thu Dec 3 15:33:44 UTC 2020
Additional note of caution:
While the IdP does not check validity of the certs in metadata for expiry,
the SP in question *might* expire their metadata in concert with expiry of
the certs.
The IdP does honor SP metadata expiration if specified in EntityDescriptor.
David St. Pierre Bantz
On 3Dec, 2020 at 06:19:20, Mark Cairney <Mark.Cairney at ed.ac.uk> wrote:
> Thanks,
>
> That's what I thought was the case but thought it best to check first.
>
> For info the appropriate paragraph from the standard is:
>
> "
>
> In the case of an X.509 certificate, there are no requirements as to the
> content of the certificate apart from the requirement that it contain the
> appropriate public key. Specifically, the certificate may be expired, not
> yet valid, carry critical or non-critical extensions or usage flags, and
> contain any subject or issuer. The use of the certificate structure is
> merely a matter of notational convenience to communicate a key and has no
> semantics in this profile apart from that. However, it is RECOMMENDED that
> certificates be unexpired.
>
> "
>
> I'll feed this back but also point out that other IdP implementations may
> behave differently.
>
> Kind regards,
>
> Mark
> On 03/12/2020 14:16, Cantor, Scott wrote:
>
> Does the IdP do any validity checking of certificates or does it simply ignore the
> expiry data?
>
> No. What we do is exactly what's defined in the standard.
> https://wiki.oasis-open.org/security/SAML2MetadataIOP
>
> Unless you only care about Shibboleth IdPs, that's not going to matter much.
>
> -- Scott
>
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201203/170b8791/attachment.htm>
More information about the users
mailing list