...
InCommon sets the following security and trust parameters around certificates that are included in Federation metadata:
- The use of self-signed certificates in Federation metadata is strongly RECOMMENDED.
- RSA keys with a minimum size of 2048 bits must be used for all new certificates introduced into Federation metadata.
- No certificates with keys less than 2048 bits will be allowed in Federation metadata after December 2012.
- All participants must migrate old 1024-bit keys out of metadata and upgrade to 2048-bit keys by December 2012.
- We recommend that participants submit a new certificate with a new 2048-bit key every 3 years.
- Expired certificates will not be accepted into Federation metadata.
- Certificates in metadata that expire may be retained in the metadata at the discretion of the participant.
- InCommon does not validate Subject information in self-signed certificates because this information is irrelevant to the federated security context. However, at its own discretion, InCommon will reject metadata submissions if that submission contains a certificate with fields that contain egregiously misrepresentated Subject information as decided by InCommon on a case by case basis. Generally, your subject information should express a somewhat reasonable relationship between the certificate and your organization.
...