md-distro - Re: [md-distro] certs in metadata signed by the InC CA
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [md-distro] certs in metadata signed by the InC CA
- Date: Sat, 10 Aug 2013 09:25:08 -0400
On Sat, Aug 10, 2013 at 7:43 AM, Ian Young
<>
wrote:
>
> On 5 Aug 2013, at 17:53, Tom Scavo
> <>
> wrote:
>
>> How many certs signed by the InC CA are expired? ALL of them.
>>
>> Note that most of the unique expired certs in metadata are signed by the
>> InC CA.
>
> As a matter of interest, do you happen to know offhand whether any or all
> of these are accompanied by a KeyName, or are they all just bare
> certificate data?
I'm not sure what group of certs you're interested in but I can
provide an answer regardless: there are no KeyName elements in
InCommon metadata.
> I ask because we've found less legacy PKI-related problems occur if there
> is no KeyName. In Shibboleth's case, that's because the trust engines
> don't fall back to PKIX unless there is a KeyName, but we've seen related
> behaviour with other software.
Hmm, okay. This is yet another example of what will happen when we
start aggregating entity descriptors from multiple federations.
Tom
- [md-distro] certs in metadata signed by the InC CA, Tom Scavo, 08/05/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Ian Young, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Tom Scavo, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Ian Young, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Tom Scavo, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Ian Young, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Tom Scavo, 08/10/2013
- Re: [md-distro] certs in metadata signed by the InC CA, Ian Young, 08/10/2013
Archive powered by MHonArc 2.6.16.