Metadata Distribution Subcommittee of TAC

[Ian Young <>]

On 12 Jul 2013, at 12:21, Tom Scavo 
<>
 wrote:

>> eduGain: Uses a self-signed cert to sign their MD. Online signing. Don't
>> know about their security implementation (HSM, etc).
> 
> Recalling the discussion, the above "facts" are mostly speculation.
> Maybe someone will take an action item to obtain authoritative answers
> to these questions?

I can do that.  I've obviously spent some time looking at this before, but 
you're right that the details are worth knowing.  I'll talk to some people 
this week.

I can clear up any doubts you had about my statement that the certificate was 
self-signed, though, which is the immediately relevant item for this group.  
A text dump of said self-signed certificate, as grabbed directly from the 
signed eduGAIN aggregate, is below.

I note in passing that it expires in about a year.

        -- Ian


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1277318612 (0x4c2255d4)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=GEANT, CN=eduGAIN Signer CA
        Validity
            Not Before: Jun 23 18:43:32 2010 GMT
            Not After : Aug  1 18:43:32 2014 GMT
        Subject: O=GEANT, CN=eduGAIN Signer CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:91:7e:5d:73:86:46:85:bd:e2:6f:26:d4:b4:dd:
                    b4:48:3b:79:3b:ee:ad:ac:e6:6f:9c:ea:c4:3c:de:
                    3e:f5:ac:86:9d:fa:f1:82:3b:6f:52:e0:91:c1:5c:
                    72:3f:53:9e:f2:35:b3:4b:82:82:b3:97:43:08:e1:
                    64:2b:b3:82:93:ff:2f:8b:3c:c1:41:f4:cd:25:36:
                    b0:0b:41:df:e8:a7:a3:cd:73:b0:96:28:c3:75:c9:
                    5f:15:fc:be:f8:fe:f6:a9:46:56:fd:d2:03:d5:24:
                    00:47:9a:80:1f:42:68:f2:31:72:d6:df:c2:8b:c3:
                    32:b5:a8:4a:4a:50:8c:4f:05:f4:0c:05:ac:26:87:
                    48:02:d9:3e:67:75:99:dd:70:c3:e9:82:c3:17:c8:
                    6d:80:67:84:06:48:eb:78:b6:0a:6c:a6:34:d2:45:
                    8f:be:5f:e8:22:f5:65:2e:5b:3b:04:1c:77:45:84:
                    24:7d:51:84:3a:fb:58:25:31:58:5e:26:35:66:a0:
                    3d:1b:f5:5f:ca:43:40:45:ff:5c:eb:cb:68:df:5a:
                    57:21:15:e2:0b:95:66:d6:82:25:ac:20:10:38:04:
                    f3:47:a8:55:b8:da:a1:a0:52:bf:43:23:71:73:44:
                    b1:d7:a8:5d:8d:d9:fe:7d:da:dc:dc:4d:e0:d9:d7:
                    57:a3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         60:bc:88:22:81:53:39:8d:22:18:a4:68:22:26:a7:c5:88:32:
         82:3d:54:c6:1f:fe:20:46:72:8b:da:ba:34:56:f3:90:66:55:
         f1:34:aa:3d:b2:1b:60:5f:b8:0f:11:93:15:fb:c1:ac:af:6f:
         ac:e7:03:b1:d2:b9:01:e9:75:5a:08:ea:9a:0f:6d:a5:b9:ca:
         76:72:df:91:b7:a7:32:ac:ed:dc:99:a3:aa:06:8a:f1:35:0a:
         3e:cf:a8:91:d7:2c:80:89:8a:7d:e9:29:61:9f:1c:b9:24:61:
         ae:b8:07:7d:a9:5f:2e:ed:e3:64:65:be:7d:ae:a2:0e:4c:11:
         80:a0:a3:88:e7:7e:1c:67:c3:48:8f:14:94:c7:13:2d:f1:fc:
         f2:79:63:17:b9:a3:f7:c3:21:45:ed:6c:86:f4:47:46:7a:4f:
         29:b7:e1:8b:14:41:0b:e6:4f:5d:6f:7c:f3:ec:15:57:3a:36:
         47:5a:d3:1a:36:0c:1c:5a:3d:fc:37:89:e4:e8:8e:29:a6:9d:
         3a:0f:2c:52:4b:f4:31:04:58:a4:92:ac:86:50:61:8a:e8:a7:
         47:ed:9d:04:61:90:58:ae:d9:33:18:5e:22:22:c0:a8:0b:5c:
         ac:fb:57:26:ed:70:83:23:b7:fb:42:94:db:03:59:39:48:c7:
         0c:05:9c:da

Attachment: smime.p7s
Description: S/MIME cryptographic signature