Refeds


Subject Re: How to join the refeds wiki
From Milan Sova <sova@xxxxxxxxx>
Date Fri, 13 Mar 2009 18:14:26 +0100

On 13.03.2009 17:02, Ian Young wrote:
> 
> On 13 Mar 2009, at 13:05, Milan Sova wrote:
> 
>>     Hi Ian.
>> On 11.03.2009 14:22, Ian Young wrote:
>>> There are two different things being discussed:
>>>
>>> An embedded
>>> trust certificate is (to software like Shibboleth, in particular)
>>> independent of the CA by which was issued; think of it as a decorative
>>> wrapper for the public key in this case.  So almost[1] any certificate
>>> would be fine here for UK purposes, and indeed we frequently accept more
>>> than one if that makes sense for a transition from one certificate
>>> product to another.  We also accept self-signed certificates in this
>>> role in many cases.
>>>
>>>
>>>
>>> [1] no short keys, no Debian weak keys, no expired certificates please
>>
>>     That's interesting. Could you please explain why would you refuse an
>> expired certificate?
> 
> Compatibility.  Although (for example) Shibboleth doesn't care about the
> expiry date on an embedded certificate, and although that's what the
> draft Oasis profile says, nevertheless there is software out there that
> does look at the expiry date.  We have a very varied collection of
> software in our federation, so we prefer to maximise interoperability
> when it's easy to do so.

	I see. Is there anything else the broken software checks (hostname, key
usage...) or is any self-signed certificate with notAfter=2050-12-31
acceptable?

	Regards
-- 
						Milan Sova
						sova@xxxxxxxxx

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature