FIDERN sets the following security and trust requirements around certificates included in Federation metadata:
- The use of long-lived, self-signed certificates in Federation metadata is strongly RECOMMENDED.
- Certificates with lifetimes of at least 10 years are RECOMMENDED to avoid unnecessary technically-imposed deadlines on key rollover.
- Certificates SHOULD expire before 2038
- RSA keys with a minimum size of 2048 bits MUST be used for all new certificates introduced into Federation metadata.
- New certificates with key sizes less than 2048 bits are not allowed in Federation metadata.
- Certificates with keys greater than 2048 bits are NOT RECOMMENDED since such keys force relying parties to perform unnecessary computation.
- Expired certificates SHOULD NOT be introduced into Federation metadata. An expired certificate in metadata SHOULD be removed once a certificate migration process to a new certificate has been completed.
- A certificate's expiration date has nothing to do with the security of the corresponding private key, which is an ongoing concern.
- If a private key is lost or stolen, immediate steps MUST be taken to configure a new private key and to introduce the corresponding public key certificate into metadata. Generating a new private key for any other purpose is NOT RECOMMENDED.