IdP Signing Certificate question

Brian Biggs biggsb at sonoma.edu
Thu Jan 21 17:51:51 UTC 2021 

Thanks Nate and Scott.

Just to be clear, what I'm hearing is that keeping our private key and
changing our public key doesn't buy us anything as far as keeping SPs
working during a transition. Is that right?
So we might as well generate new public and private keys and work on a
coordinated cutover with all our SPs...

Thanks,
-Brian

On Thu, Jan 21, 2021 at 9:45 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 1/21/21, 11:41 AM, "users on behalf of Brian Biggs" <
> users-bounces at shibboleth.net on behalf of biggsb at sonoma.edu> wrote:
>
> >    So, my question is: If I generate a new self-signed IdP signing cert
> using the existing IdP signing key, then drop that new
> > cert into our metadata, will SPs who have the old metadata continue to
> work?
>
> Shibboleth will. Everything else in the world probably won't and most of
> them don't use metadata to start with. There is no way for anybody but the
> people who wrote something to say what it will do when it comes to
> evaluating things. I know of SPs that work fine but a much larger number
> that won't, and none of them are documemted in that regard or would know
> how to answer if you asked them.
>
> In the end, key changes cannot happen unless you explicitly manage all of
> the systems to the level of dictating which certificate is used, and there
> isn't much value in rushing to change the certificate for anything that
> isn't already broken already.
>
> >    Follow up question: Is there a "best practice" for what key length
> and digest hashing algorithm to use for an IdP signing
> > cert? I'm guessing 2048 and sha256 are the minimum, but will going to
> 4096 and sha512 likely cause interoperability
> > issues with some SPs?
>
> The safe assumption is the same answer as above. I use SHA-2. I went with
> 3072 and I believe I hit something that wasn't happy with 4096 very early
> on when I tried it, but I don't remember what it was.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Lead Identity Mgmt/Systems Integration
Information Technology
Sonoma State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210121/66f40529/attachment.htm>

More information about the users mailing list