...
- InCommon Operations will deploy three new metadata aggregates at the following permanent HTTP locations:
- http://md.incommon.org/InCommon/InCommon-metadata.xml (production metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback metadata)
- All metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037.
- Although the signing certificate is new, the signing key is not.
- All metadata aggregates will be signed with the same key but the fallback metadata aggregate will use a different digest algorithm.
- Both the production metadata aggregate and the preview metadata aggregate will be signed using a SHA-2 digest algorithm (specifically, SHA-256).
- The fallback metadata aggregate will be signed using a the SHA-1 digest algorithm (which is what we use now).
- All deployments shall migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
- The current metadata aggregate will be replaced with a redirect to the fallback metadata aggregate on March 29, 2014.
- If your metadata process can verify an XML signature that uses a the SHA-2 256 digest algorithm, migrate to the production metadata aggregate or the preview metadata aggregate.
- If your metadata process can not verify an XML signature that uses a the SHA-2 256 digest algorithm, migrate to the fallback metadata aggregate.
- All deployments shall migrate to the production metadata aggregate or the preview metadata aggregate by June 30, 2014.
- On June 30, the fallback metadata aggregate will be synced with the production metadata aggregate (i.e., all aggregates will be signed using a the SHA-2 256 digest algorithm).
- After June 30, all metadata aggregates published by the InCommon Federation will be signed using a the SHA-2 256 digest algorithm.
See the Phase 1 Implementation Plan FAQ for more information.
...
- The InCommon metadata signing certificate expires on May 2, 2014.
- If we don't issue a new metadata signing certificate by May 2, 2014, an expired signing certificate will be bound to the XML signature in metadata.
- The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
- If we don't issue a new metadata signing certificate by March 29, 2014, an expired CA certificate will be bound to the XML signature in metadata.
- The CA certificate adds nothing to the security of metadata, so its presence (expired or not) only serves to confuse consumers.
- The XML signature on InCommon metadata uses a the deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
- NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
- NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
- See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
- Multiple, heterogeneous services run on vhost
wayf.incommonfederation.org
, namely, Metadata Services and the Discovery Service. To provide better quality of service, these services need to be segregated on their own vhosts (md.incommon.org
andds.incommon.org
, resp.).- Note: The InCommon Federated Error Handling Service is already running on
ds.incommon.org
.
- Note: The InCommon Federated Error Handling Service is already running on
- Multiple metadata aggregates will allow us to deploy changes to InCommon metadata more quickly and safely.
...
- Create a new self-signed signing certificate set to expire on December 18, 2037:
- https://md.incommon.org/certs/incommon.pem
- Make it possible to securely download the new signing certificate via the Federation Manager.
- Deploy a new production metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256):
- http://md.incommon.org/InCommon/InCommon-metadata.xml
- Deploy a new fallback metadata aggregate that uses the new self-signed certificate and a the SHA1-based signing algorithm (like we do now):
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
- Deploy a new test metadata aggregate that is identical to the production metadata aggregate (initially):
- http://md.incommon.org/InCommon/InCommon-metadata-test.xml
- Advise all deployments to migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
- Replace the current metadata aggregate with a redirect to the fallback metadata aggregate on March 29, 2014.
- Retire the following resources on March 29, 2014:
- http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
- http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
- https://wayf.incommonfederation.org/bridge/certs/incommon.pem
- https://wayf.incommonfederation.org/bridge/certs/ca.pem
- http://incommoncrl1.incommonfederation.org/crl/eecrls.crl
- http://incommoncrl2.incommonfederation.org/crl/eecrls.crl
- Sync the fallback metadata aggregate with the production metadata aggregate on June 30, 2014.
Wiki Markup Remove the redirect to the _fallback metadata aggregate_ on \[*date TBD*\].
...