[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Same certificate for https and SAML signing
On 3/13/14, 12:50 AM, "Vasu Y" <vyal2k@yahoo.com> wrote: > >Questions on CA-signed certs: >1) Are there any specific issues/drawbacks when using CA-signed >certificates apart from renewing? Many. Starting with that it leads to security holes and isn't interoperable. The names in certificates have no relationship to SAML naming, and CAs do not issue certificates for SAML use, so you're misusing a credential, and you're not getting the guarantee you think you are. And there is no standard way to tie the credential indirectly through naming to a SAML entity. There are non-standard ways. That's aside from the basic issue that PKIX libraries are inconsistent, badly implemented, and buggy. >2) Can someone throw light into "CA-signed certificates can lead to >configurations that mistakenly establish trust based on the certificate >signer." (Ref: >https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+M >etadata#X.509CertificatesinMetadata-Background). Putting a certificate in can trigger behavior in software that is not intended because many products make assumptions about them and how to process them. If you mean the trust model to be a key, but have to use a certificate for practical reasons, avoiding separate issuers makes it clear you don't mean the issuer to matter. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]