Certificates in Metadata

FIDERN sets the following security and trust requirements around certificates included in Federation metadata:

  • The use of long-lived, self-signed certificates in Federation metadata is strongly RECOMMENDED.
    • ¬†Certificates with lifetimes of at least 10 years are RECOMMENDED to avoid unnecessary technically-imposed deadlines on key rollover.
    • Certificates SHOULD expire before 2038
  • ¬†RSA keys with a minimum size of 2048 bits MUST be used for all new certificates introduced into Federation metadata.
    • New certificates with key sizes less than 2048 bits are not allowed in Federation metadata.
    • Certificates with keys greater than 2048 bits are NOT RECOMMENDED since such keys force relying parties to perform unnecessary computation.
  • Expired certificates SHOULD NOT be introduced into Federation metadata. An expired certificate in metadata SHOULD be removed once a certificate migration process to a new certificate has been completed.
    • A certificate's expiration date has nothing to do with the security of the corresponding private key, which is an ongoing concern.
  • If a private key is lost or stolen, immediate steps MUST be taken to configure a new private key and to introduce the corresponding public key certificate into metadata. Generating a new private key for any other purpose is NOT RECOMMENDED.