Introduction
InCommon accepts X.509 server certificates from the following certificate providers:
- Self-Signed
- InCommon CA
- Any third-party CA
InCommon accepts this broad array of certificates b/c... (fill in)
Requirements
InCommon sets the following security and trust parameters around certificates that are included in federation metadata.
- Minimum key size of 2048 bit
- No expired certs accepted (although expired certs may be retained in the metadata at the discretion of the IdP/SP).
- CN= equivalent to SP or IdP shib domain?
- Critical extensions?
- CA bit must be off?
- Encryption and signing allowed?
Policy
- Domains in cert will be approved by InCommon?? If the TAC as a group thinks, no, john will then take it to Steering and legal to discuss the liability implications of publishing domains that have not been approved.