Signature trust establishment failed for metadata entry
ndk at signet.id
Mon Jun 29 22:24:59 UTC 2020
It looks like they're just signing their own metadata using their own SP keypair, so you're really not getting any value from that embedded signature anyway. The real trust establishment is out of band. You can safely remove it and I don't really know why they'd do it in the first place.
As a general note, if were signed by a third party that you both consider trustworthy and you could rely on that for trust establishment, then you would want to load it separately and validate it with the third party's public key.
Signet, Inc. ®
The Art of Access ®
> From: Mak, Steve
> Sent: Monday, June 29 2020, 3:41 pm
> To: Shib Users
> Subject: RE: Signature trust establishment failed for metadata entry
> is there a security issue by removing that SP own/embeded signature (provider by the partner) , as long as I resign it on my side with my "federation-agregrate" ?
> It could mean the file was modified after the signature was generated, which is why the validation is failing. Or the person providing the file doesn’t completely understand xml signatures.
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users