Shibboleth Developers

["Reimer Karlsen-Masur, DFN-CERT" <>]

Hi.

Scott Cantor wrote:
>> One of my next tasks is actually to find out where up-to-date 
>> CRLs are used and/or needed in the shibboleth architecture.
> 
> Try here for starters:
> 
> https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/KeysAndCertifica
> tes
> 
> I've updated it finally for 1.3, it was badly out of date.

Thanks.

>> I know how to configure the apache side of the SP and IdP to 
>> use CRLs when SSL (client authentication) is required and if and only if I
> 
>> get hold of all relevant CRLs of the certification chain/path.
> 
> No, you don't. ;-)
> 
> We don't use Apache anywhere for that anymore.

One thing less to worry about.

>> As I currently understand the communication pattern of shibboleth, it
>> additionally still needs to check for revoked server certificates on the
>> client side of a https connection and also when the certificates are used
>> for verifying received signed SAML messages.
> 
> Yes, and this is done by embedding X509CRL elements in the metadata inside
> the proprietary KeyAuthority element we created to make CAs work.
> 
> There is no support for pulling CRLs from a file because there's no XML
> Signature syntax for doing that. There's one for indirecting to a file
> containing a <ds:X509CRL>, but that's not really too helpful since CRLs
> don't come that way from CAs.

I was looking for any examples of a metadata file utilizing the X509CRL
element (in a more complex setup of two root CAs with each having one
intermediate CA). The searchengine did not find any...but the very very
outdated
http://www.liv.ac.uk/LSIP/Documentation/Shib12ImplementationDocument.html
which is using some IMO nonexistant rawX509CRL retrieval method type...

Would the following metadata file excerpt (which I contructed reading the
schema files) work?

-------------------------------------
metadata.xml file:

<EntitiesDescriptor
   xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
   validUntil="2010-01-01T00:00:00Z"
   Name="urn:mace:MACE_REGISTERED_FEDERATION_NAME"
   xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
shibboleth-metadata-1.0.xsd
http://www.w3.org/2000/09/xmldsig#xmldsig-core-schema.xsd";>

<Extensions>
  <shibmd:KeyAuthority VerifyDepth="3">

      <ds:KeyInfo>
        <ds:KeyName>Certificate Chain Hierarchie 1</ds:KeyName>
        <ds:X509Data>
          <ds:X509Certificate>
[...PEM formatted X.509 Root-CA 1 certificate...]
          </ds:X509Certificate>
          <ds:X509CRL>
[...the above CAs PEM formatted X.509 CRL ...]
          </ds:X509CRL>

          <ds:X509Certificate>
[...PEM formatted X.509 Intermediate-CA 1 certificate...]
          </ds:X509Certificate>
          <ds:X509CRL>
[...the above CAs PEM formatted X.509 CRL ...]
          </ds:X509CRL>
        </ds:X509Data>
      </ds:KeyInfo>

      <ds:KeyInfo>
        <ds:KeyName>Certificate Chain Hierarchie 2</ds:KeyName>
        <ds:RetrievalMethod URI="/path/to/referencedX509Data.xml"
          Type="http://www.w3.org/2000/09/xmldsig#X509Data";>
          <!-- empty -- no transformations of referenced file necessary -->
        </ds:RetrievalMethod>
      </ds:KeyInfo>

  </shibmd:KeyAuthority
</Extensions>

[...standard metadata stuff....]
</EntitiesDescriptor

----------------------------------------
referencedX509Data.xml file:

<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
  <ds:X509Certificate>
[...PEM formatted X.509 Root-CA 2 certificate...]
  </ds:X509Certificate>
  <ds:X509CRL>
[...the above CAs PEM formatted X.509 CRL ...]
  </ds:X509CRL>

  <ds:X509Certificate>
[...PEM formatted X.509 Intermediate-CA 2 certificate...]
  </ds:X509Certificate>
  <ds:X509CRL>
[...the above CAs PEM formatted X.509 CRL ...]
  </ds:X509CRL>
</ds:X509Data>
------------------------------------------

Related questions:

Will Shibboleth be aware of multiple KeyAuthority elements under the
Extensions element using different verifyDepths?

Would verifyDepth=2 be sufficient for this example of two CAs in the chain
validating the EE-certificate?

Where in the logs can I observe that Shibboleth was validating certificates
against a certificate chain and what CLRs where used?

If CRLs are stored in other files than the metadata file using the
RetrievalMethod element will Shibboleth notice an updated CRL if the
metadata file has not been updated?

...

>> And if the latter is the case, why are CA certificates 
>> listed/needed in the meta data file?
> 
> They're not really needed, they're supported in place of keys because people
> wanted us to support them. But without use of CRLs, I'm saying that's a
> dangerous thing to use, and so I'm just starting to fully comprehend the
> danger.

One does not want to do certificates for ClientAuth validated only via CAs
without checking for revoked ones against an up-to-date CRL, using OCSP or
other means.

Thanks

Reimer
-- 
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8  DA 72 F4 5E B4 A4 F0 66

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature