Subject Re: How to join the refeds wiki
From Ian Young <ian@xxxxxxxxxx>
Date Fri, 13 Mar 2009 16:02:38 +0000

On 13 Mar 2009, at 13:05, Milan Sova wrote:

	Hi Ian.
On 11.03.2009 14:22, Ian Young wrote:
There are two different things being discussed:

An embedded
trust certificate is (to software like Shibboleth, in particular)
independent of the CA by which was issued; think of it as a decorative wrapper for the public key in this case. So almost[1] any certificate would be fine here for UK purposes, and indeed we frequently accept more
than one if that makes sense for a transition from one certificate
product to another.  We also accept self-signed certificates in this
role in many cases.

[1] no short keys, no Debian weak keys, no expired certificates please

	That's interesting. Could you please explain why would you refuse an
expired certificate?

Compatibility. Although (for example) Shibboleth doesn't care about the expiry date on an embedded certificate, and although that's what the draft Oasis profile says, nevertheless there is software out there that does look at the expiry date. We have a very varied collection of software in our federation, so we prefer to maximise interoperability when it's easy to do so.

	-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature