AW: back-channel on front-channel port

Bergmann, Clemens clemens.bergmann at
Tue Jun 29 05:51:28 UTC 2021

Hi Scott,

thanks again for the fast reply but I don't understand fully what you are recommending. 
Do I understand you correctly that you suggest that certificate authentication is not needed nowadays and therefore the additional port can be ignored?

Mit freundlichen Grüßen
Clemens Bergmann
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184

> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at> Im Auftrag von Cantor, Scott
> Gesendet: Montag, 28. Juni 2021 16:34
> An: Shib Users <users at>
> Betreff: Re: back-channel on front-channel port
> You don't have to do anything special, and no, you can't really rely on
> certificate authentication like that, it doesn't work reliably when it's not host-
> based and there's no intent that it would work. The messages are signed
> instead, and the possibility of MITM exposure is simply ignored.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-
> unsubscribe at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <>

More information about the users mailing list