mace-opensaml-users - Re: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?
Subject: OpenSAML user discussion
List archive
Re: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?
Chronological Thread
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?
- Date: Wed, 01 Jul 2009 19:02:48 +0200
- Organization: SWITCH
wrote:
While testing we found that the SignatureValidator.validate method indicated
that a saml a signature was valid using an expired certificate. Is this
appropriate behavior or should the validate method also validate the
certificate?
Thats expected. The signature is valid. Whether you trust the credential is a different matter.
Is there some other place that the certificate is validated? We have a very
simple implementation and are not using a trust engine.
However you chose to do it. The trust engines are what the IdP uses to do it. A super, brain-dead-simple, way to do this would be to just have a trust set of certs and then do a byte[] comparison. If the cert that signed it is in your trust list then you trust it, if not, you don't.
Its not a big deal as we've added code to check the validity of the
certificate before validating the signature. I'm just wondering if this is a
bug or by design?
Well, if you think the signature is telling you anything then it is a big issue, because it's not. I could easily gen a cert, intercept a message, remove the signature, change the message and sign with me cert. If you never check if the cert is trusted you'd never know the difference.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Should SignatureValidator validate whether a certificate is expired or active?, bryn . ryans, 07/01/2009
- Re: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?, Chad La Joie, 07/01/2009
- RE: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?, Bryn Ryans, 07/01/2009
- Re: [OpenSAML] Should SignatureValidator validate whether a certificate is expired or active?, Chad La Joie, 07/01/2009
Archive powered by MHonArc 2.6.16.