Shibboleth Developer's Meeting, 2020-11-06
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-11-20. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
- OIDC plugin - versioning, planning
- Duo plugin - delivery of the two alternative implementations vis a vis the plugin/module system
- EC2 postmortem
Attendees:
Brent
-
-
OSJ-304Getting issue details...
STATUS
- Done, unless we determine otherwise.
-
-
OSJ-207Getting issue details...
STATUS
- Would like to finally knock this one out, should be easy. Already added Base64URL encoding/decoding support awhile back.
- Re Phil's Duo and PKIX work: Maybe we need a different PKIX trust evaluator impl based on e.g. Bouncy Castle, which makes advanced things like dynamic CRL and OSCP easier and more reliable?
Daniel
Henri
- dev/JOIDC-5 merged to main
- Hands-on with the plugin model
Ian
- xmlsectool 3: will cut a beta in the next week or so
- this will require a release of Java parent and java-support
- will also be doing a scan of xmlsectool's dependencies, incl: Bouncy Castle & Santuario
John
- Started to get oriented to Jenkins
- Working on refactoring Ian's PoC Docker-based SP build system to be driven by GNU Make. Aiming to:
- make the whole thing less monolithic w.r.t. the collection of components that go along with the SP itself
- enable a dev to build everything locally with Docker
- also be drive-able by Jenkins
- couple to Docker loosely enough we can reuse for, e.g., an AWS container-based service, or EC2, or...
Marvin
Phil
-
-
JDUO-18Getting issue details...
STATUS
I went a bit off plan looking into CRL and OCSP revocation checking - at the expense of some other plugin things, my mistake.
- Most of the info is either in the ticket or in the email thread - thanks Brent for helping with that.
- Thanks to Brent's IdP changes, revocation checking can be enabled without requiring a static CRL
- Although you **must** enabled one or both of CRL download from DPs, or OCSP, or an approved static CRL - otherwise, it will always fail.
- Needs good documentation to highlight the configuration and issues to the deployer
- Might benefit from some CertPathPKIXValidationOptions checking when injecting the trust evaluator e.g. throw an exception if revocation checking is enabled, but a static CRL (although no way to validate that on startup) or CRLDP or OSCP properties were not set.
- - JDUO-20Getting issue details... STATUS removed the auth0 dep, now signs Nimbus JWTs using a - sigh - invalid key.
Rod
- Nothing
Scott
- Updating documentation with 4.1 changes
- Testing
- - JOIDC-15Getting issue details... STATUS
- - GEN-268Getting issue details... STATUS
Tom
- Probably should schedule AWS cost review regularly / monthly / quarterly
- Worked on tests, Javas, AMIs
- Looking forward to working on consent
- Should figure out how to backup EC2 instance before patching
- Is it okay to start the instance while the AMI is pending ?
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html
Other