Versions Compared

Old Version 15

changes.mady.by.user John Krienke (internet2.edu)

Saved on

compared with

New Version 16

changes.mady.by.user John Krienke (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. RSA keys with a minimum size of 2048 bits for all new submissions. We still allow current InCommon certs that are 1024. However, all participants must migrate old 1024-bit certificates out of the metadata and upgrade to 2048. All certificates in the federation must be upgraded to 2048 key sizes by the end of August 2011. We recommend that participants submit a 2048 certificate with a new key every 3 years.
  2. Expired certificates will not be accepted. However, current certificates that do expire may be retained in the metadata at the discretion of the participant. Shibboleth does not check expiration dates of certificates, but this practice may cause interoperability issues with other software.
  3. Because the fields in the certificate are not relevant to any runtime processing or security in the federated context, InCommon will not verify or impose any requirements on certificate fields, with one caveat. At its own choosing, InCommon will reject metadata submissions if that submission contains a certificate with fields that contain egrigiously egregiously misrepresentative Subject information as decided by InCommon on a case by case basis.

...

  1. Generally, your subject information should express somewhat reasonably to you and others a relationship between the certificate and your organization. See also "Points to Consider" below.

Points to Consider

To increase your chances of your deployment interoperating with other products:

...

  1. Continue using the same certificate. Shibboleth does not rely on expiration dates of certificates. Some software may check expiration dates, therefore, we recommend the following.
  2. Submit a self-signed 2048 bit certificate as soon as is practicable.
    Wiki Markup
    Here are instructions for creating a self-signed cert.\[link\]
     (question)
  3. For key management and migration, InCommon allows multiple certificates per end point at any time.

...

Third-party certificates signed by an authoritative CA are discouraged since they can create interoperability issues in certain cases, and lead to configurations that mistakenly rely on the certificate signer to establish trust in the certificate. Where necessary they can be accommodated because of constraints imposed on participants from other sources.

"If web servers and SSL could deal with bare keys, we'd be fine."(warning)

Disclaimers

...

What's left on the ToDo List prior go Going live:

  1. Disclaimer in the metadata itself(warning)
  2. Disclaimer check box upon submission: Talk to Legal.(warning)
  3. 1st of a set of quarterly tech sessions to handle questions. Schedule this for Aug 27th?(warning)

Do we need an additional FAQ or is this sufficient?(question)

  • "If web servers and SSL could deal with bare keys, we'd be fine."