Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] Question on updating metadata with new certificates

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] Question on updating metadata with new certificates


Chronological Thread 
  • From: Brad MacDonald <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] Question on updating metadata with new certificates
  • Date: Thu, 26 May 2016 16:41:01 +0000
  • Accept-language: en-US

Thanks Scott and Tom for your responses on this. Luckily we only have 6
IdP's that are in this configuration so maybe we will be able to coordinate
the effort with the least amount of downtime.

Brad MacDonald
Skillsoft | phone: 613.963.0332 | mobile: 613.858.7414
Senior Platform Engineer, Hosting

| www.skillsoft.com

      

-----Original Message-----
From:


[mailto:]
On Behalf Of Cantor, Scott
Sent: Thursday, May 26, 2016 12:36 PM
To:

Subject: RE: [Metadata-Support] Question on updating metadata with new
certificates

> I'm afraid that's the answer to your original question. If your
> software does not support multiple decryption keys, it's not possible
> to migrate an encryption certificate in metadata without loss of
> service.

Modulo the obvious:

- flag days
- forcing all IdPs to disable encryption ahead of time

If your software is like this, I would advise you not support encryption
because, well, you really don't. Supporting things like encryption badly are
generally worse for the IdP than not supporting them, since they just end up
creating problems later.

I tend to ask about this when I'm dealing with vendors and this is one of my
red flags for asking if I can turn off encryption for their service.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page