Internet2 Confluence has been upgrade to 7.19.20. Questions? Contact techsupport@internet2.edu.

The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.

Skip to end of banner Go to start of banner

Third-Party Certs

Created by John Krienke (internet2.edu), last modified on Apr 07, 2009

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Introduction

InCommon accepts X.509 server certificates from the following certificate providers:

Self-Signed
InCommon CA
Any third-party CA [Scott had some things to say about why using commercial certs should be highly discouraged.]

InCommon accepts this broad array of certificates b/c... (fill in)

Requirements

InCommon sets the following security and trust parameters around certificates that are included in federation metadata.

Minimum key size of 2048 bit
No expired certs accepted (although expired certs may be retained in the metadata at the discretion of the IdP/SP).
CN= equivalent to SP or IdP shib domain?
Critical extensions?
CA bit must be off?
Encryption and signing allowed?

Policy

Domains in cert will be approved by InCommon?? If the TAC as a group thinks, no, john will then take it to Steering and legal to discuss the liability implications of publishing domains that have not been approved.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))

No labels