The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Introduction

InCommon accepts X.509 server certificates from the following certificate providers:

  1. Self-Signed
  2. InCommon CA

With a justification, InCommon may also accept certificates from:

  1. Any third-party CA

InCommon accepts this broad array of certificates because the signer of the certificate has no relevance to the trust model that secures the interactions of federation participants using supported technologies like SAML. Allowing self-signed certificates simplifies the work of participants that may be required to join multiple federations, or who support local systems that are not enrolled in the federation.

Third party certificates are discouraged because they can create interoperability issues in certain cases, and lead to configurations that mistakenly rely on the certificate signer to establish trust in the certificate. Where necessary they can be accomodated because of constraints imposed on participants from other sources.

Requirements

InCommon sets the following security and trust parameters around certificates that are included in federation metadata:

  1. RSA keys with a minimum size of 2048 bits
  2. No expired certs accepted; expired certs may be retained in the metadata at the discretion of the participant, but may cause interoprability issues with non-Shibboleth software

In the case of certificates used for SSL server authentication:

  1. A CN or subjectAltName matching the intended hostname(s)
  2. Either omission of the TLS Client and Server Authentication extensions, or inclusion of the Server Authentication extension.

In the case of certificates used for SSL client authentication:

  1. Either omission of the TLS Client and Server Authentication extensions, or inclusion of the Client Authentication extension.

The SSL requirements MAY be left to the discretion and responsibility of federation participants; InCommon merely highlights the requirements that are likely to cause problems if not met.

Policy

  1. Domains in cert will be approved by InCommon?? If the TAC as a group thinks, no, john will then take it to Steering and legal to discuss the liability implications of publishing domains that have not been approved. [SC: No, we shouldn't check any certificate content other than what's listed above or can be used to identify cryptographic flaws (e.g. weak keys)]

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels