The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

(question) = Questions for the TAC

(warning) = Questions John is taking to attorney

X.509 Certificates in the InCommon Federation

InCommon accepts X.509 server certificates from the following certificate providers:

  1. Self-Signed
  2. InCommon Certificate Authority (Phasing out by August 2011)

With a justification, InCommon may also accept certificates from a third-party Certificate Authority (CA).

Beginning September 1, 2009, InCommon will no longer issue certificates signed by the InCommon CA (unless someone freaks out and needs us to). We will transition the entire federation to self-signed certificates over the next 2 years. This should not be a big deal. (question) *Other federations have already implemented this practice.*??

Security and Certificate Authorities

In SAML metadata, the signer of individual certificates has no relevance to the trust model that secures the interactions between federation participants. Participant site administrators securely transmit digital certificates and metadata to InCommon. InCommon signs the entire metadata file, securing the keys of its participants whether they are represented in the context of self-signed certificates or certificates signed by an authority. The critical element in the certificate is the public key, which is associated with the participant's metadata. The other elements in the certificate are irrelevant to security and trust. Theoretically, if software systems could accept a public key without a certificate wrapper, InCommon would only need to include the public key of each end point. As it is, the certificate is a practical shell for the public key, the critical element being that the key is bound to a particular endpoint in the metadata. Because the fields in the certificate are not related to trust or security, InCommon will not impose any requirements on certificate fields, *(other than to monitor the subjects for obvious or aggregious misrepresentations??)*(warning)

Futhermore, allowing self-signed certificates simplifies the work of participants who may be required to join multiple federations, or who support local systems that are not enrolled in the federation.

Third-party certificates signed by an authoritative CA are discouraged since they can create interoperability issues in certain cases, and lead to configurations that mistakenly rely on the certificate signer to establish trust in the certificate. Where necessary they can be accommodated because of constraints imposed on participants from other sources.

Requirements

InCommon sets the following security and trust parameters around certificates that are included in federation metadata:

  1. RSA keys with a minimum size of 2048 bits for all new submissions. We will allow current InCommon certs at 1024 and will migrate all old certificates out of the metadata as they expire, and upgrade them to 2048. All certificates in the federation must be upgraded to 2048 key sizes by the end of August 2011. We recommend that participants submit a certificate with a new key every 3 years. Security problems in 10 years? Policing, requiring? (question)
  2. Expired certificates will not be accepted. However, expired certificates may be retained in the metadata at the discretion of the participant. Shibboleth does not check expiration dates of certificates, but this practice may cause interoperability issues with non-Shibboleth software.

Options for You to Consider

  1. (question) Think more about our recommendation/requirement about using the same key for signing and encryption.

In the case of certificates used for SSL server authentication:

  1. A CN or subjectAltName matching the intended hostname(s) (question) Optional or Required?
  2. Either omission of the TLS Client and Server Authentication extensions, or inclusion of the Server Authentication extension. (question)

In the case of certificates used for SSL client authentication:

  1. Either omission of the TLS Client and Server Authentication extensions, or inclusion of the Client Authentication extension. (question)

The SSL requirements MAY be left to the discretion and responsibility of federation participants; InCommon merely highlights the requirements that are likely to cause problems if not met.

Disclaimers

[SC: No, we shouldn't check any certificate content other than what's listed above or can be used to identify cryptographic flaws (e.g. weak keys)]

  1. Disclaimer in the metadata itself(warning)
  2. Disclaimer check box upon submission: Talk to Legal.(warning)
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels