Re: [saml-dev] Same certificate for https and SAML signing

["Cantor, Scott" <cantor.2@osu.edu>]

On 3/13/14, 12:50 AM, "Vasu Y" <vyal2k@yahoo.com> wrote:
>
>Questions on CA-signed certs:
>1) Are there any specific issues/drawbacks when using CA-signed
>certificates apart from renewing?

Many. Starting with that it leads to security holes and isn't
interoperable. The names in certificates have no relationship to SAML
naming, and CAs do not issue certificates for SAML use, so you're misusing
a credential, and you're not getting the guarantee you think you are. And
there is no standard way to tie the credential indirectly through naming
to a SAML entity. There are non-standard ways. That's aside from the basic
issue that PKIX libraries are inconsistent, badly implemented, and buggy.

>2) Can someone throw light into "CA-signed certificates can lead to
>configurations that mistakenly establish trust based on the certificate
>signer." (Ref: 
>https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+M
>etadata#X.509CertificatesinMetadata-Background).

Putting a certificate in can trigger behavior in software that is not
intended because many products make assumptions about them and how to
process them. If you mean the trust model to be a key, but have to use a
certificate for practical reasons, avoiding separate issuers makes it
clear you don't mean the issuer to matter.

-- Scott