We have stopped warning about expiring self-signed trust fabric certificates

Posted on Thursday, 31 October 2019

The UK federation follows the SAML Metadata Interoperability Profile. This profile requires that a trust fabric certificate in metadata is treated only as a convenient wrapper for a cryptographic public key, with none of the additional semantics normally associated with certificates, such as a check against its expiry date.

There used to be several software products that checked certificate expiry dates, so the UK federation support team would inform UK federation members when a trust fabric certificate in their deployment was due to expire, and request that they change certificate. However, this procedure is an unfamiliar process, quite unlike that of renewing the browser-facing TLS certificate. It introduces a risk of loss of service, and it typically requires substantial input from the UK federation support team.

We have worked with deployers of non-conforming software products to upgrade their software and follow good practice, so we are now in the position where the vast majority of software does follow the Metadata Interoperability Profile. Since most deployments have self-signed trust fabric certificates, we have stopped informing deployers before a self-signed trust fabric certificate expires.

There is a slight complication. Some federations in eduGAIN have a policy of accepting only CA-issued certificates and require certificate renewal. We acknowledge that some deployments registered in the UK federation will need to follow those policies, so we will continue to monitor and inform deployers with CA-issued certificates that are close to expiry.

If you believe that your entity interoperates with a non-conforming software system, or have any questions about our change of practice, please get in touch with the UK federation helpdesk at the earliest available opportunity.

Edited by AlexStuart on 31 October 2019, at 05:12 PM