OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Same certificate for https and SAML signing

On 3/13/14, 12:50 AM, "Vasu Y" <vyal2k@yahoo.com> wrote:
>Questions on CA-signed certs:
>1) Are there any specific issues/drawbacks when using CA-signed
>certificates apart from renewing?

Many. Starting with that it leads to security holes and isn't
interoperable. The names in certificates have no relationship to SAML
naming, and CAs do not issue certificates for SAML use, so you're misusing
a credential, and you're not getting the guarantee you think you are. And
there is no standard way to tie the credential indirectly through naming
to a SAML entity. There are non-standard ways. That's aside from the basic
issue that PKIX libraries are inconsistent, badly implemented, and buggy.

>2) Can someone throw light into "CA-signed certificates can lead to
>configurations that mistakenly establish trust based on the certificate
>signer." (Ref: 

Putting a certificate in can trigger behavior in software that is not
intended because many products make assumptions about them and how to
process them. If you mean the trust model to be a key, but have to use a
certificate for practical reasons, avoiding separate issuers makes it
clear you don't mean the issuer to matter.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]