mace-opensaml-users - Re: [OpenSAML] certificate management
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] certificate management
- Date: Fri, 07 Jan 2011 08:18:02 -0500
- Organization: Itumi, LLC
No, trust establishment is specifically out of scope. Shib embeds the certs in metadata and checks against that. Most other products do use metadata so they do something else.
In terms of key rollover we just put both keys in the metadata for a period of time and then pull the old one when we think everyone has had enough time to get the new metadata.
On 1/7/11 8:15 AM, Chris Card wrote:
Hi,
do the SAML specs give any guidance on how to manage certificates used
to verify signatures on AuthnRequests and Assertions, especially in
the case where there are multiple IDPs talking to an SP. For example, if
the SP certificate changes, the consequent metadata change must be
propagated to all
the IDPs, and while the propagation is happening there's a time window
where it's possible that an IDP will reject an AuthnRequest because it
hasn't received the new certificate.
Chris
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- RE: [OpenSAML] signing performance, (continued)
- RE: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- Re: [OpenSAML] signing performance, Nick Newman, 01/06/2011
- RE: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- RE: [OpenSAML] signing performance, Chris Card, 01/06/2011
- RE: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- RE: [OpenSAML] signing performance, Chris Card, 01/06/2011
- Re: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- RE: [OpenSAML] signing performance, Chris Card, 01/07/2011
- Re: [OpenSAML] signing performance, Chad La Joie, 01/07/2011
- [OpenSAML] certificate management, Chris Card, 01/07/2011
- Re: [OpenSAML] certificate management, Chad La Joie, 01/07/2011
- RE: [OpenSAML] certificate management, Chris Card, 01/07/2011
- RE: [OpenSAML] certificate management, Cantor, Scott E., 01/07/2011
- Re: [OpenSAML] certificate management, Tom Scavo, 01/07/2011
- RE: [OpenSAML] signing performance, Chris Card, 01/07/2011
- Re: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- RE: [OpenSAML] signing performance, Chris Card, 01/06/2011
- RE: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
- Re: [OpenSAML] signing performance, Nick Newman, 01/06/2011
- Re: [OpenSAML] signing performance, Brent Putman, 01/06/2011
- RE: [OpenSAML] signing performance, Cantor, Scott E., 01/06/2011
Archive powered by MHonArc 2.6.16.