Shibboleth Developers

["Scott Cantor" <>]

> > I've now tested that in our case, adding the intermediates in  
> > question to the EntitiesDescriptor /Extensions /KeyAuthority list  
> > allows the IdP to validate the "path".  I imagine, though, that it  
> > is not validating the whole path to the self-signed root but only  
> > to the immediate signer of the end certificate; do you agree?  Is  
> > there a way to confirm this with the current codebase?

The Java is stopping at the first trust anchor. My code is continuing until
it finds a self-signed anchor, but I also support chaining. So things are
inconsistent between the two, and the only way to get both to work is to
have every intermediate and root present in the metadata.

> > fixes AJP...  I'm assuming that adding intermediates to the  
> > KeyAuthority list won't cause trouble for 1.2 entities; do you know  
> > of any issues that might come up there?

No, OpenSSL is fine with them.

> The IdP trust module definitely allows anchoring with non-self-signed  
> certificates.  This is correct behavior according to PKIX.  I believe  
> that Scott worked around the OpenSSL limitations in 1.3 so that both  
> code-based behave the same, but I'll let him confirm that.

No, it was impossible to use anything from OpenSSL and still fix this. It's
their bug, they need to fix it. Richard L. refuses to, and claims nobody
needs non-self-signed roots. So I'd take it up with him.

-- Scott