Versions Compared

Old Version 17

changes.mady.by.user John Krienke (internet2.edu)

Saved on

compared with

New Version 18

changes.mady.by.user John Krienke (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Self-Signed
  2. InCommon Certificate Authority
  3. With a justification, InCommon may also accept certificates from a third-party Certificate Authority (CA).
Panel

(info) Beginning September January 1, 20092010, InCommon will no longer issue certificates signed by the InCommon CA (unless someone freaks out and needs us to). We will transition the entire federation to self-signed certificates over the next 2 years. This will not affect levels of security and should actually help interoperability. Other national-scale federations have implemented this practice and have found it extremely useful for participants.

...

  1. RSA keys with a minimum size of 2048 bits for all new submissions. We still allow current InCommon certs that are 1024. However, all participants must migrate old 1024-bit certificates out of the metadata and upgrade to 2048. All certificates in the federation must be upgraded to 2048 key sizes by the end of August December 2011. We recommend that participants submit a 2048 certificate with a new key every 3 years.
  2. Expired certificates will not be accepted. However, current certificates that do expire may be retained in the metadata at the discretion of the participant. Shibboleth does not check expiration dates of certificates, but this practice may cause interoperability issues with other software.
  3. Because the fields in the certificate are not relevant to any runtime processing or security in the federated context, InCommon will not verify or impose any requirements on certificate fields, with one caveat. At its own choosing, InCommon will reject metadata submissions if that submission contains a certificate with fields that contain egregiously misrepresentative Subject information as decided by InCommon on a case by case basis. Generally, your subject information should express somewhat reasonably to you and others a relationship between the certificate and your organization. See also "Points to Consider" below.

...

  • Announcement next week about Oct 22nd:
    • o    Go live with Service
      o    Webinar date
      o    Two line summary on HomePage and within architecture of the website
      o    Announce this to incommon-participants Tues at 9am??: Announcing
      •    A chance to discuss technical issues with the TAC and Ops
      •    Self Signed Certs
      •    SAML2 and Shib 2 migration issues.
      •    Self Signed Certs page. Made Public with Correct Dates. On the wiki.
      •    Adobe Connect. Use the IM chat facility and the Shared Desktop facility to talk through the web pages:
      o    https://spaces.at.internet2.edu/display/InCCollaborate/SAML+2.0+FAQImage Removed
      o    https://spaces.at.internet2.edu/display/inctac/Third-Party+CertsImage Removed
      o    https://spaces.at.internet2.edu/display/SHIB2/IdPUpgradesImage Removed
      •    Talk with TechSupport about setting up the magic recording black box for Adobe Connect
      •    After event announcement about the recorded event and pointers on the web.
      •    Potential post production to create evergreen content??
      •    FOPP and CP/CPS related. (John)

...