RE: Shibboleth SP V3 Beta available for Windows

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

Cantor, Scott E.
As a follow up, I would appreciate it if those in a position to care about the defaults could review the release notes on some of the decisions I made, none of which are set in stone at this point. Probably the least susprising is moving the default signing to SHA-256, and probably the one likely to cause the most hassles for operators is removing the Query plugin and SAML 1.1 support by default.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP V3 Beta available for Windows

Scott Koranda-2
Hi,

> As a follow up, I would appreciate it if those in a position to care
> about the defaults could review the release notes on some of the
> decisions I made, none of which are set in stone at this point.

Have you decided on the names for the auto-generated key pairs?

If 'sp-cert.pem' and 'sp-key.pem' remain the defaults for the encryption
key then people following documentation that has not been updated yet
(or that will never be updated...) will still "find" the correct cert
for the metadata.

Otherwise if the names change for the encryption key I am concerned we
will see a rash of instances where the signing key (and only the signing
key) makes it into metadata.

Could the signing key file names be something like

.sp-signing-cert.pem
.sp-signing-key.pem

and so effectively "hide" them until they really need to be found?

Another approach might be to not auto-generate the signing keys but
instead provide and document a simple "wrapper" (around OpenSSL) script
to generate the signing keys if/when necessary.

The current SWITCH Debian packages do something similar--they do not
auto-generate the encryption cert/privkey, but the wrapper script is
quick and easy to use to generate them after installation.

Thanks,

Scott K
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

Cantor, Scott E.
> Have you decided on the names for the auto-generated key pairs?

Well, I picked names, it's not set in stone though it's a little bit of a pain to change them so I would rather get them re-decided once and then change them if I have to. Currently new installs get sp-signing-cert/key.pem and sp-encrypt-cert/key.pem, and upgrades of course are untouched.

> If 'sp-cert.pem' and 'sp-key.pem' remain the defaults for the encryption key
> then people following documentation that has not been updated yet (or that
> will never be updated...) will still "find" the correct cert for the metadata.

I think that's going to be confusing, personally. I don't care that much what the names are, but neither should be what they are now.

> Another approach might be to not auto-generate the signing keys but instead
> provide and document a simple "wrapper" (around OpenSSL) script to generate
> the signing keys if/when necessary.

I didn't see much value in making people jump through hoops to get them generated, but the wrapper is already there. If people really think it should "just generate" an encryption key, I could do that, but I am definitely against naming it generically. I would agree that if I was to leave *either* name alone, it would be the encryption key, but I don't think that's a good idea.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP V3 Beta available for Windows

Etienne Dysli-Metref
In reply to this post by Scott Koranda-2
On 04/06/18 21:28, Scott Koranda wrote:
> The current SWITCH Debian packages do something similar--they do not
> auto-generate the encryption cert/privkey, but the wrapper script is
> quick and easy to use to generate them after installation.

That's just the same as what the official Debian packages do. I don't
modify it. :) The script /usr/sbin/shib-keygen is installed by package
shibboleth-sp2-utils.

  Etienne


--
To unsubscribe from this list send an email to [hidden email]

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP V3 Beta available for Windows

Peter Schober
* Etienne Dysli Metref <[hidden email]> [2018-06-05 08:17]:
> On 04/06/18 21:28, Scott Koranda wrote:
> > The current SWITCH Debian packages do something similar--they do not
> > auto-generate the encryption cert/privkey, but the wrapper script is
> > quick and easy to use to generate them after installation.
>
> That's just the same as what the official Debian packages do. I don't
> modify it. :) The script /usr/sbin/shib-keygen is installed by package
> shibboleth-sp2-utils.

I think the point of what Scott K said was that -- contrary to RHEL --
on Debian installing the package does not create the keys
automagically (as part of post-inst hooks or whatever), you'd have to
call the script yourself.

(The fact that it also moved and changed its name is purely for better
FHS support and making it more specific respectively, of course.)

-peter
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

David Langenberg
In reply to this post by Cantor, Scott E.
Yeah, PLEASE do not make installers go off and generate the keys manually as
part of configuration.  Getting folks to be comfortable with editing the
.xml config file to set an entityID, especially on windows, is hard enough
already. I really don't want the added burden of trying to explain to them
how to run the script to make the keys and from there how to know if they
did it right.  

Never ask a user to do something that the computer should be able to figure
out and do on it's own definitely applies.

Dave

--
David Langenberg
Asst Director, Identity Management
The University of Chicago

-----Original Message-----
From: dev <[hidden email]> On Behalf Of Cantor, Scott
Sent: Monday, June 4, 2018 2:40 PM
To: Shib Dev <[hidden email]>
Subject: RE: Shibboleth SP V3 Beta available for Windows

> Have you decided on the names for the auto-generated key pairs?

Well, I picked names, it's not set in stone though it's a little bit of a
pain to change them so I would rather get them re-decided once and then
change them if I have to. Currently new installs get sp-signing-cert/key.pem
and sp-encrypt-cert/key.pem, and upgrades of course are untouched.

> If 'sp-cert.pem' and 'sp-key.pem' remain the defaults for the
> encryption key then people following documentation that has not been
> updated yet (or that will never be updated...) will still "find" the
correct cert for the metadata.

I think that's going to be confusing, personally. I don't care that much
what the names are, but neither should be what they are now.

> Another approach might be to not auto-generate the signing keys but
> instead provide and document a simple "wrapper" (around OpenSSL)
> script to generate the signing keys if/when necessary.

I didn't see much value in making people jump through hoops to get them
generated, but the wrapper is already there. If people really think it
should "just generate" an encryption key, I could do that, but I am
definitely against naming it generically. I would agree that if I was to
leave *either* name alone, it would be the encryption key, but I don't think
that's a good idea.

-- Scott

--
To unsubscribe from this list send an email to
[hidden email]

--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

Cantor, Scott E.
In reply to this post by Peter Schober
> I think the point of what Scott K said was that -- contrary to RHEL -- on Debian
> installing the package does not create the keys automagically (as part of post-
> inst hooks or whatever), you'd have to call the script yourself.

Obviously I *could* do that in the RPM, for new installs, but I really don't see the value of not generating the keys we intend the default configuration to load. I don't know what the reason for that is on Debian, but I don't think Scott K was suggesting we do that as a general matter, he was just referring to the signing key. But since that key is mandatory for logout to work, I don't think it really makes sense to do one and not the other.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

Cantor, Scott E.
In reply to this post by Cantor, Scott E.
> I can probably get test packages built for Linux later this week but likely won't
> bother unless somebody actually plans to test it in earnest, as it's time
> consuming.

I had to do some build tests anyway so I am getting a set built but the OBS scheduler is running very slowly and the 64-bit packages are lagging so I won't bother sending a link out until they're actually built.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP V3 Beta available for Windows

Cantor, Scott E.
> I had to do some build tests anyway so I am getting a set built but the OBS
> scheduler is running very slowly and the 64-bit packages are lagging so I won't
> bother sending a link out until they're actually built.

The beta RPM packages are available in my home project...

https://download.opensuse.org/repositories/home:/Scott_Cantor/

They won't upgrade later to the real release of course, the revisions won't line up.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]