signing IDP metadata

Cantor, Scott cantor.2 at
Fri Apr 29 12:18:24 UTC 2022

Basically, the conditions for using a remote feed of metadata (*) with any kind of reasonable security benefits are:

- it's signed periodically
- it has a fairly short lifetime

Without that, obvious attacks become possible.

While an online signing key is not ideal, and one can certainly do better with Hashicorp vault or some kind of HSM, it's infinitely better to do that and automate the signing than to rely on TLS, not only because of the problems with CAs but also because the attacks possible against keys that are used for TLS are much more expansive than needing to actually get a foothold on a server to access a signing key.

I have my own feed on campus with an online signing key to allow me to deploy settings locally that aren't deployed to InCommon. I don't make use of that often, but I have on occasion.

-- Scott

(*) This is assuming the standard inline key model we use. With PKIX evaluation of signing certificates, the issues are very different, but so are the additional requirements (i.e., revocation).

More information about the users mailing list