Shibboleth Service Provider with RSA-PSS
Cantor, Scott
cantor.2 at osu.edu
Mon May 16 12:13:51 UTC 2022
On 5/16/22, 5:48 AM, "users on behalf of Dennis Nikolay" <users-bounces at shibboleth.net on behalf of d.nikolay at wikom.de> wrote:
> This is very unfortunate, as RSA-PSS is one of the signature algorithms the BSI approved for governmental
> software in Germany. Furthermore the MUK identity provider, which is to become the central login for
> business related eGovernment services in Germany as per OZG, decided to require this signature algorithm.
That was not a great choice unless the point was to exclude the majority of software.
> This does not seem to be a fringe use case so I am surprised that there are no plans for Shibboleth to support
> RSA-PSS.
Nobody has ever asked, and no it's not realistic in the SP. Supporting it in Java in the IdP as a proxy is a possibility (it might even work already).
I will definitely be surprised if you manage to find any commodity implementation that does, but I can imagine some doing so by accident if they're layered on particular XML Signature libraries (thus, why the IdP might happen to support it). The one I have to use does not, and me implementing it is not likely.
-- Scott
More information about the users
mailing list