Shibboleth Developer's Meeting, June 7, 2013
...
60 to 90 minute call window.
Brent
Just looking at the notes on the wiki. The Decryper/BC issue has nothing to do with keypair verification.
The issue is: a symmetric key is encrypted with public key from key pair A. If it is attempted to be decrypted with private key from key pair B, BC sometimes intermittenly throws a runtime exception, as opposed to the correct checked exception, merely indicating decryption failure.
And FYI, we already have a KeyPair "verification" method in OpenSAML that does pretty much the same thing as the vt-crypt isKeyPair method.
Daniel
Ian
Went to Maastricht for REFEDS.
...
https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy
Notes
Daniel summarized the BC/Santuario runtime exception w/RSA keypair verification on behalf of Brent. The issue resulted in a forthcoming vt-crypt feature request to make installation of BC provider optional (currently happens by default). Discussion followed about what components to ship with IdP and the tradeoff between a supported set of system components versus increased maintenance costs w/r/t security and defects.
Ian discussed REFEDS conference and mentioned increasing membership costs and the need for a private forum for operators to have frank, technical discussion. Mentioned "WebFinger" – everything should be discoverable.
Marvin fielded some questions from Tom about memcached storage service specifically and clustering generally. Tom tagged Marvin as a resource for clustering/HA expertise.
Rod briefly summarized work on attribute resolvers.
From Marvin:RE the RSA key matching issue, Chad requested a feature of vt-crypt a while back that provided keypair verification.
AFAICT use of PublicKeyUtils.isKeyPair(PublicKey, PrivateKey) would have avoided the BC/Santuario runtime exception issue.