Question about relying-party-system.xml
Ullfig, Roberto Alfredo
rullfig at uic.edu
Wed Jun 30 18:48:15 UTC 2021
Yes, understand all that. Service owners have long been notified - some applications have been tested with the new certificate, etc. We've even encountered an SP that broke when we added the second certificate to federated metadata. I think we've prepared as much as we could. Major applications should be fine - there might be a few that break though.
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Wednesday, June 30, 2021 1:36 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Question about relying-party-system.xml
On 6/30/21, 2:20 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> Thanks! Are there any potential issues with switching from a SHA1 signing certificate to a SHA 256 signing
> certificate? Could any SP be impacted by this?
Yes, not because it's a SHA-2 certificate but because you're *changing your certificate*. That is going to break a ton of stuff.
If it's not Shibboleth, there is no standard governing its behavior and no documentation as to how it does what it does.
So the answer is that you cannot hope to predict anything about it, which is why key changes are so painful. There are a huge number of systems that treat a certificate change as equivalent to a key change. Shibboleth just doesn’t happen to be one of them.
-- Scott
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Crullfig%40uic.edu%7Ce80c04d337de496f7ff208d93bf5fde3%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637606749980340611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7j8sz7d5fxRVO6%2FJPVY%2FqhWTlQVNeX2h%2B36mbCPWbiQ%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/ec4a7d00/attachment.htm>
More information about the users
mailing list