[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Same certificate for https and SAML signing
On Mon, Mar 10, 2014 at 12:57 PM, Lucas, Mike <Mike.Lucas@gwl.ca> wrote: > Use a different one. Agreed. > Also, use different key-pairs for signing vs. encryption. There are differing points of view. The IdP doesn't really need to support encryption, but the SP can and should support both, so I'll concentrate on the SP. One key for both uses (signing and encryption) reduces bloat in metadata files (which is especially important in metadata aggregates) but separate keys for each use (signing and encryption) is more flexible. The kicker is key rollover: it is much easier to roll over single-use keys, so you need to take that into account as well. FWIW, most Federations in higher ed use one key for both uses (signing and encryption) since reducing bloat is a prime consideration. > From my experience, it's simpler to just use a long-lived (10-year or more > expiry), self-signed cert that is pre-shared with your SAML partners, rather > than relying on CA-signed certs. Agreed. > There's some background on that in this > article: > https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata#X.509CertificatesinMetadata-Background (FYI, I'm the current maintainer of that wiki page :) > Although note that is an implementation-specific site so it may just be one > interpretation of the spec, but it certainly rings true to me. If you're referring to the SAML spec, it has nothing to say about this issue. The companion spec that Peter pointed is one approach but there is a small fraction of Federations worldwide (that I know of, anyway) that employ a model based on CA-signed certificates in metadata. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]