OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Same certificate for https and SAML signing

Hi All,
 Thanks for your valuable inputs.
I will use different keys for signing and encryption; will check with prospective customers if they are Okay with self-signed certs.

Questions on CA-signed certs:
1) Are there any specific issues/drawbacks when using CA-signed certificates apart from renewing?
2) Can someone throw light into "CA-signed certificates can lead to configurations that mistakenly establish trust based on the certificate signer." (Ref: https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata#X.509CertificatesinMetadata-Background).

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Tom Scavo <trscavo@gmail.com>; "Lucas, Mike" <Mike.Lucas@gwl.ca>
Cc: SAML Developers <saml-dev@lists.oasis-open.org>; "vyal2k@yahoo.com" <vyal2k@yahoo.com>
Sent: Tuesday, 11 March 2014 12:31 AM
Subject: Re: [saml-dev] Same certificate for https and SAML signing

On 3/10/14, 2:36 PM, "Tom Scavo" <trscavo@gmail.com> wrote:

>If you're referring to the SAML spec, it has nothing to say about this
>issue. The companion spec that Peter pointed is one approach but there
>is a small fraction of Federations worldwide (that I know of, anyway)
>that employ a model based on CA-signed certificates in metadata.

As long as it's exactly one, controlled, CA, that's relatively safe.
Otherwise it's simply asking to get hacked, because without naming
constraints and/or control over the issuance, you have no control over
what's being issued and what the relationship is between a SAML name and a
subject DN. There is nothing in SAML to do this, and there is no standard
way of expressing the right rules in SAML metadata (though there are
non-standard ways).

In short, a good number of SAML systems in the world have literally no
idea what they're doing and are operating unsafely. That is probably
unsurprising since you could s/SAML/anything in that sentence and be

-- Scott

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]