Subject Re: Self Signed Certs
From Olivier Salaün <olivier.salaun@xxxxxx>
Date Tue, 04 Aug 2009 11:14:35 +0200

Hi John,

While moving from our previous federation (CRU Federation) to the new The Fédération Education-Recherche <>, we decided to stop maintaining a list of trusted CAs and accept any SP/IdP certificates including self-signed ones. At the same time we have generalized attribute push within the federation to get rid of the Attribute Authority and its X.509 authentication.

Our experience is truly positive :
  • IdPs now use the default Shibboleth configuration with the generated certificate. This certificate has a longer validity period, thus providing less work for IdP administrators ;
  • SPs can use the same certificate they're using with other federations/IdPs. They don't need to check our list of supported CAs. We neither need to collect their list of intermediate CAs (very timing consuming). They don't need to buy a new certificate ;
  • No more issues with mod_ssl configuration on the SPs side, because IdPs push attributes through the web browser ;
  • The attribute push also makes the federated architecture much simpler and therefore eaiser to explain and to debug.

John Krienke a écrit :
Hello fellow federation operators,

InCommon is getting ready to support self-signed certificates in a few short weeks to help with, among other things, inter-federation. We're curious to know if other federations are supporting self-signed certificates already and if so, what you might have found along the way from a technical or communication/education perspective regarding both universities and commercial participants.