Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] TLS/SSL certificate for https://md.incommon.org?

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] TLS/SSL certificate for https://md.incommon.org?


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [Metadata-Support] TLS/SSL certificate for https://md.incommon.org?
  • Date: Mon, 3 Feb 2014 18:43:55 -0500

On Mon, Feb 3, 2014 at 6:11 PM, Gary Griffith
<>
wrote:
>
> When connecting to https://md.incommon.org/InCommon/InCommon-metadata.xml, I
> get presented the SSL certificate for wayf.incommonfederation.org instead.

The published endpoints for InCommon metadata are (and always have
been) ordinary HTTP endpoints as shown in the wiki.
(https://spaces.internet2.edu/x/SoG8Ag) Please use the published
endpoint locations when configuring your metadata client.

As noted on the Metadata Consumption wiki page
(https://spaces.internet2.edu/x/JwQjAQ) your client should be
configured to validate the expiration date and verify the XML
signature on downloaded metadata. There are wiki pages that show how
to do this for Shibboleth and simpleSAMLphp. If you're using something
else, please let us know so we can document it.

> Are there any plans to get a server certificate for md.incommon.org?

No, not at this time, but in any case fetching metadata via HTTPS
probably doesn't do what you want, so it should be avoided.

OTOH, we are in the process of bringing up a secure server for
distributing the metadata signing certificate, which has very
different security requirements. Consequently, the bootstrap process
outlined in the wiki (https://spaces.internet2.edu/x/moHFAg) will
change, for the better. As soon as the server is ready, we will
announce it.

Thanks,

Tom



Archive powered by MHonArc 2.6.16.

Top of Page