Shibboleth Developers

["RL 'Bob' Morgan" <>]

Another case of a cert that "worked" for 0.8 not working for 1.0, since it
was bogus all along.  So our transition material should include a warning
to make sure your HS cert really does have the name of your HS in it ...

 - RL "Bob"

---------- Forwarded message ----------
Date: Tue, 10 Jun 2003 12:12:21 -0700 (PDT)
From: RL 'Bob' Morgan 
<>
To: Ryan Muldoon 
<>
Cc: 
,
 Keith Hazelton 
<>
Subject: Re: shib origin 1.0 sso assertion error


On 10 Jun 2003, Ryan Muldoon wrote:

> I think I must have given you wrong information somehow, as I am
> getting:
> Exception: trust failed: ShibPOSTProfile::accept() detected an untrusted
> HS for the origin site
>
> Is this a cert problem?  I am using the same certs as I was for 0.8....

Yes, I believe it's a cert problem ... and it reveals the fact that 0.8
was not doing any cert checking (hence was totally insecure, ie anyone
could make a successful assertion).  From what I can see the cert sent
with the assertion, indicating the signer of the assertion, has the
Subject name:

        Subject: C=Unknown, ST=Unknown, O=Unknown, OU=Unknown,
          CN=shib2.internet2.edu

So I think you need to get a proper cert for gari, from Eric's HEPKI CA.

I ran into this too, when I first tried, and it turned out I was using a
cert with the name of my old test origin ... 8^)

 - RL "Bob"



------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--