Shibboleth Developers

["Reimer Karlsen-Masur, DFN-CERT" <>]

Hi.

Scott Cantor wrote:
>> I'd be interested to know how many people were, actually.  The whole 
>> revocation thing is (a) theoretically critical to PKI but (b) widely 
>> ignored.  Certainly at one point essentially all browsers came with 
>> checking disabled by default because it slowed things down; I don't know 
>> what the current defaults are.
> 
> Browsers aside, the issue is Shibboleth, and I think it's likely that few
> people have them in place because we don't actually describe how to do it
> anywhere, really.

One of my next tasks is actually to find out where up-to-date CRLs are used
and/or needed in the shibboleth architecture.

I know how to configure the apache side of the SP and IdP to use CRLs when
SSL (client authentication) is required and if and only if I get hold of all
relevant CRLs of the certification chain/path.

As I currently understand the communication pattern of shibboleth, it
additionally still needs to check for revoked server certificates on the
client side of a https connection and also when the certificates are used
for verifying received signed SAML messages.

Since certificates used securing https connections and certificates used to
secure SAML messages are not necessarily the same, a successful verification
of the certificates used during https communication on the server or the
client side does not imply that the certs used on received signed SAML
messages are valid also.

Also if there is any direct communication between WAYF, shibd and tomcat/IdP
bypassing apaches SSL checks on the server side (Is there any at all not
running through apache as server?), WAYF, shibd and the IdP web application
within tomcat would need to check the CRLs if client auth is performed on
the server side of the https connection.

Is my understanding of the shibboleth architecture in regards to CRLs correct?

If so, is it possible to configure shibd and tomcat IdP to do their own
independent CRL checking?

Or does shibboleth always depends on the fact that *all* valid used server-,
client- and signing-certificates are in the up-to-date meta data file?

And if the latter is the case, why are CA certificates listed/needed in the
meta data file?

Lots of questions. If some of them don't make sense, please excuse me; it
probably is because I did not understand the shibboleth architecture fully
in the first place. In that case I'd like to get pointers to where the https
and non-https communication pattern and use of certificates for
communication and SAML messages within the shibboleth architecture (and its
underlying components) is described in such detail, that I can ask better
questions, if still needed :-)

Thanks for your patience,

Reimer
-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8  DA 72 F4 5E B4 A4 F0 66

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature