Simple signature validation

Steve Herrera sherrera at fsmail.bradley.edu
Thu Oct 13 00:51:45 UTC 2022 

"They're wrong, starting with the fact that public keys and certificates
don't create signatures, private keys do. You can't be uploading a
certificate that does anything related to this problem unless you're also
uploading the corresponding private key for it to use, which would be silly
to do."

Actually, yes, they require the customer to generate the  RSA certificate
public and private key with length 4096. The portal has me configure my IDP
instance name, metadata (these seem normal), but then fill in what their
entity ID is following their guidelines, upload a certificate and private
key. From that, they have a button to generate the SP metadata. The signing
certificate in that metadata is the one I've uploaded.

I will check with them on the signing of the AuthnRequests.

Steve Herrera
Information Security
Bradley University
Phone: 309 / 677-2336
FAX: 309 / 677-3460
Email:  *sherrera at fsmail.bradley.edu <sherrera at fsmail.bradley.edu>*


On Wed, Oct 12, 2022 at 7:04 PM Cantor, Scott via users <
users at shibboleth.net> wrote:

> >    The SP has a portal where I submit the certificate and generate it's
> > metadata. That's what I put in our IDP. There techs said that is the
> > certificate used to sign the request.
>
> They're wrong, starting with the fact that public keys and certificates
> don't create signatures, private keys do. You can't be uploading a
> certificate that does anything related to this problem unless you're also
> uploading the corresponding private key for it to use, which would be silly
> to do.
>
> You can upload *your* certificate, you can't upload theirs. It has to come
> from them.
>
> They also shouldn't be signing the AuthnRequests in the first place,
> that's not a useful thing to do.
>
> Then there's the fact that OpenSAML 3 is end-of-life and unsupported...
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221012/4bad969c/attachment.htm>

More information about the users mailing list