Versions Compared

Old Version 4

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 5

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A plan to implement the Phase 1 Recommendations of the Metadata Distribution WG is emerging:

Relevant facts:

  1. NIST disallows the use of SHA-1 digests beginning January 1, 2014.
    • The XML signature on InCommon metadata uses a SHA-1 digest algorithm.
  2. The InCommon metadata signing certificate expires on May 2, 2014.
  3. The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
  4. The XML signature on InCommon metadata uses a deprecated SHA-1 digest algorithm.
    • NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
    • NIST disallows the use of SHA-1 in conjunction with digital signatures beginning January 1, 2014.
    • See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4

Actions:

  1. Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair. Set the new certificate to expire on December 18, 2037.
  2. Deploy a new metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm.
  3. Recommend that all organizations migrate to the new metadata aggregate asap. In particular, any deployment that (incorrectly) relies on the legacy CA is strongly encouraged to migrate to the new metadata aggregate by March 29, 2014.
  4. Wiki Markup
    Replace the current metadata aggregate with a redirect. \[*date TBD*\]
  5. Create a discussion list for administrators that have questions or experience problems regarding this transition.