Shibboleth Service Provider with RSA-PSS

Cantor, Scott cantor.2 at osu.edu
Mon May 16 12:13:51 UTC 2022


On 5/16/22, 5:48 AM, "users on behalf of Dennis Nikolay" <users-bounces at shibboleth.net on behalf of d.nikolay at wikom.de> wrote:

>    This is very unfortunate, as RSA-PSS is one of the signature algorithms the BSI approved for governmental
> software in Germany. Furthermore the MUK identity provider, which is to become the central login for
> business related eGovernment services in Germany as per OZG, decided to require this signature algorithm.

That was not a great choice unless the point was to exclude the majority of software.

> This does not seem to be a fringe use case so I am surprised that there are no plans for Shibboleth to support
> RSA-PSS.

Nobody has ever asked, and no it's not realistic in the SP. Supporting it in Java in the IdP as a proxy is a possibility (it might even work already).

I will definitely be surprised if you manage to find any commodity implementation that does, but I can imagine some doing so by accident if they're layered on particular XML Signature libraries (thus, why the IdP might happen to support it). The one I have to use does not, and me implementing it is not likely.

-- Scott




More information about the users mailing list