shibboleth-dev - RE: client certificate chains and 1.3 IdP
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: "'Walter Hoehn'" <>, "'Ian Young'" <>
- Cc: <>
- Subject: RE: client certificate chains and 1.3 IdP
- Date: Wed, 6 Jul 2005 12:00:49 -0400
- Organization: The Ohio State University
> > I've now tested that in our case, adding the intermediates in
> > question to the EntitiesDescriptor /Extensions /KeyAuthority list
> > allows the IdP to validate the "path". I imagine, though, that it
> > is not validating the whole path to the self-signed root but only
> > to the immediate signer of the end certificate; do you agree? Is
> > there a way to confirm this with the current codebase?
The Java is stopping at the first trust anchor. My code is continuing until
it finds a self-signed anchor, but I also support chaining. So things are
inconsistent between the two, and the only way to get both to work is to
have every intermediate and root present in the metadata.
> > fixes AJP... I'm assuming that adding intermediates to the
> > KeyAuthority list won't cause trouble for 1.2 entities; do you know
> > of any issues that might come up there?
No, OpenSSL is fine with them.
> The IdP trust module definitely allows anchoring with non-self-signed
> certificates. This is correct behavior according to PKIX. I believe
> that Scott worked around the OpenSSL limitations in 1.3 so that both
> code-based behave the same, but I'll let him confirm that.
No, it was impossible to use anything from OpenSSL and still fix this. It's
their bug, they need to fix it. Richard L. refuses to, and claims nobody
needs non-self-signed roots. So I'd take it up with him.
-- Scott
- RE: client certificate chains and 1.3 IdP, (continued)
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/05/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Walter Hoehn, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Thomas Lenggenhager, 07/07/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Walter Hoehn, 07/06/2005
Archive powered by MHonArc 2.6.16.