Shibboleth Developer's Meeting, June 7, 2013
Next call is next Friday.
60 to 90 minute call window.
Just looking at the notes on the wiki. The Decryper/BC issue has nothing to do with keypair verification.
The issue is: a symmetric key is encrypted with public key from key pair A. If it is attempted to be decrypted with private key from key pair B, BC sometimes intermittenly throws a runtime exception, as opposed to the correct checked exception, merely indicating decryption failure.
And FYI, we already have a KeyPair "verification" method in OpenSAML that does pretty much the same thing as the vt-crypt isKeyPair method.
Went to Maastricht for REFEDS.
Memcached storage service code review.
Fixed a late reported Apache 2.4 issue with "require valid-user", posted summary to dev list. Need to update documentation on it.
Will rebuild packages for final testing next week, June 18 release.
Working on enhancements to storage API with Marvin's code, should have something checked in next week. Changed expiration scale to milliseconds from seconds (prefer seconds, but don't like the extra effort everywhere).
Lot of conversation/interest around SHA-2 support and the migration process, Scott Koranda offered to start a wiki page based on some notes I had in email, will need some contributions from Brent, Ian. Basic concern is the NIST phase out and the possibility that InC-Silver and SHA-1 won't mix anymore.
A week or so of vacation days over the next 3 weeks, will be in and out.
Board meeting next week, main topic will be finalizing membership fees going forward. Plan to draft a note to them about plans for the MDA (if any) and the SHA-2 issue.
Deal with discovering that Guava Constraints is deprecated. Need to create JIRA issue. Should probably ask them, on stackoverflow ? The question would be something like : why are Constraints a dead-end ? IMHO, throwin more NPEs does not help. I hope our guarded collections will not throw NPEs on null input, I guess a RuntimeException is okay, ConstraintViolation ?
General comments regarding interfederation scaling ? (TERENA feedback)
Location and naming of web flows : hierarchical by package name (probably not based on Spring Web Flow best practices) or URL profile path ? In a new module like idp-saml-flows or in idp-saml-imp/src/main/resources ? Maven implications. Spent some time with Brent's java-shib-testbed.
Jenkins build and BC.
shib-users email ?
Daniel summarized the BC/Santuario runtime exception w/RSA keypair verification on behalf of Brent. The issue resulted in a forthcoming vt-crypt feature request to make installation of BC provider optional (currently happens by default). Discussion followed about what components to ship with IdP and the tradeoff between a supported set of system components versus increased maintenance costs w/r/t security and defects.
Ian discussed REFEDS conference and mentioned increasing membership costs and the need for a private forum for operators to have frank, technical discussion. Mentioned "WebFinger" – everything should be discoverable.
Marvin fielded some questions from Tom about memcached storage service specifically and clustering generally. Tom tagged Marvin as a resource for clustering/HA expertise.
Rod briefly summarized work on attribute resolvers.
From Marvin:RE the RSA key matching issue, Chad requested a feature of vt-crypt a while back that provided keypair verification.
AFAICT use of PublicKeyUtils.isKeyPair(PublicKey, PrivateKey) would have avoided the BC/Santuario runtime exception issue.